Fishbowler
commented
10 months ago - Adds config for CSP
- Amends default CSP for no configuration
- Only applies CSP on GET requests, since PUT is pretty specific in the context of this component
Open Fishbowler opened 10 months ago
Fishbowler
commented
10 months ago 
guusdk
commented
10 months ago Thanks @Fishbowler - this certainly is an improvement over what it is replacing!
One concern: you've applied it to only GET requests. You're probably right that this is where it currently is needed, but why not apply it to every request? Most HTTP requests can include data (and thus, possibly executable things). Even if they do not now, is there a downside in having this header on all of the responses - if only to make sure that if future changes ever cause executable content to be returned, we've defensively coded to guard for that?
Fishbowler
commented
10 months ago I'd included GET only, since the PUT was very specific in the current case. I've extended it to PUT - you're right that it's only a few bytes and could be useful in future unknown scenarios.
guusdk
commented
10 months ago If you apply the change to the 'service' method (where my original one-liner was), then I think you do not need the code duplication. As a bonus, it'll apply to any future method that may get used, too.