Closed mstuart closed 10 years ago
CSP is still new, thus the various headers. I had avoided X-
implementations since they weren't fully ratified and (if I remember back correctly) had minor differences in the actual level or support and parsing of the rules.
I would say X-Webkit-CSP
is too dated at this point, but if you want to test and PR support over for X-Content-Security-Policy
for IE then we can always send down both headers. CSP headers can be large though, so you may want to see what this looks like.
Agree with all of your points. Newer IEs seem too important to leave out. I'll follow up with a PR shortly
As I am implementing this, I realized how much I don't like this feature. We can re-open it later if it's needed. I just really don't want to do any user agent sniffing. That code will be old news as soon as it's committed.
X-Content-Security-Policy
in Firefox < 23.0, IE 10 & 11X-Webkit-CSP
in Chrome < 25.0, Safari < 7.0Although
Content-Security-Policy
(correct, according to the spec) is what the latest FF, Chrome and Safari are using, leaving out IE 10 & 11 seems kind of wrong. :)To implement this, I think we'll have to resort to user-agent sniffing (ouch!)
Source: http://caniuse.com/contentsecuritypolicy