bobjflong
commented
7 years ago Hi @ygale !
Should the types and/or API of the library reflect the difference between CSP 1.0 and 2.0? In my opinion - no, that would be an unnecessary complication. CSP 2.0 is backward compatible with CSP 1.0, and both the security community and the browser providers seem to be very intent on upgrading quickly. I would just indicate in Haddock comments which parts of the syntax are CSP-2.0-only.
I agree that we should just support working CSP rules and perhaps document what version they conform to.
Can the upgrade to CSP 2.0 be done piecemeal, or must it be done all at once? Perhaps I'm biased because at the moment I only need one specific feature from CSP 2.0, but it seems to me that piecemeal is fine and more practical. (But of course if you want to do it all at once and it will actually get done promptly, that would be great!)
Piecemeal is totally fine by me. So please do feel free to open a PR with the new feature you need.
It's now definitely on my radar to do a larger update with the new stuff, perhaps over the Christmas holidays.
ygale
The W3C CSP 1.0 specification, which this library implements, is deprecated and no longer supported or recommended. The current CSP specification is CSP 2.0, which is (for the purposes of this library) just an expanded version of CSP 1.0 with a handful of new directives and some new allowed values.
The major browsers are currently in the process of rolling out support for 2.0 in their latest versions.
Would you consider upgrading this library to support CSP 2.0?
I cannot do the whole upgrade myself at this time, but I would be happy to provide a PR to support
frame-anscestors, which is the directive that I currently need.There are two questions to consider about this: