iangcarroll
commented
4 years ago @paragonie-staff No rush but do you think we can have this merged and a release cut so this and f0903ebdfff5e43be21cd10ce5fe709fd8310bc3 can make it into stable?
Closed iangcarroll closed 4 years ago
iangcarroll
commented
4 years ago @paragonie-staff No rush but do you think we can have this merged and a release cut so this and f0903ebdfff5e43be21cd10ce5fe709fd8310bc3 can make it into stable?
Recently, we have had a case where we needed to dynamically remove a directive from our policy completely. This is because the presence of a directive can sometimes trigger unavoidable behavior, that cannot be fixed aside from removing it (see https://github.com/w3c/webappsec-csp/issues/421). There is no easy way to do this with the current APIs, since
CSPBuilder::setDirective(directive, null)will cause it to build a policy ofdirective 'none', not omit it.This adds
CSPBuilder::removeDirective(directive)to completely remove it from the built policy.