Maybe CSP implementation is too naive?

[mstuart]

X-Content-Security-Policy in Firefox < 23.0, IE 10 & 11 X-Webkit-CSP in Chrome < 25.0, Safari < 7.0

Although Content-Security-Policy (correct, according to the spec) is what the latest FF, Chrome and Safari are using, leaving out IE 10 & 11 seems kind of wrong. :)

To implement this, I think we'll have to resort to user-agent sniffing (ouch!)

Source: http://caniuse.com/contentsecuritypolicy

[jeffharrell]

CSP is still new, thus the various headers. I had avoided X- implementations since they weren't fully ratified and (if I remember back correctly) had minor differences in the actual level or support and parsing of the rules.

I would say X-Webkit-CSP is too dated at this point, but if you want to test and PR support over for X-Content-Security-Policy for IE then we can always send down both headers. CSP headers can be large though, so you may want to see what this looks like.

[mstuart]

Agree with all of your points. Newer IEs seem too important to leave out. I'll follow up with a PR shortly

[mstuart]

As I am implementing this, I realized how much I don't like this feature. We can re-open it later if it's needed. I just really don't want to do any user agent sniffing. That code will be old news as soon as it's committed.