weavejester
commented
9 years ago CSP headers are pretty project specific, so I'm not sure what defaults I could use that would be globally applicable.
Closed venantius closed 9 years ago
weavejester
commented
9 years ago CSP headers are pretty project specific, so I'm not sure what defaults I could use that would be globally applicable.
venantius
commented
9 years ago That is a fair point. Do you think there is a place for them in the more general family of Ring libraries, or is it sufficient for them to exist as standalone/external pieces of middleware for now?
weavejester
commented
9 years ago For now I think they're fine as third-party libraries. In future I might consider an official library support CSP headers, but I don't think there's a pressing need currently for that, not when there are third-party libraries for it.
venantius
commented
9 years ago Fair enough.
Engelberg
commented
7 years ago I spent the day going down the x-frame-options rabbit hole, only to realize that allow-from is not supported by at least two major browsers. From what I tell, it looks like a lot of the world is moving towards CSP as a solution for these sorts of things, so it would be great to have a solid ring solution for that. The above-mentioned third-party libraries do not appear to be active.
buzzdan
commented
6 years ago +1 for a default CSP header
There seem to be at least two projects covering CSP header middleware for Ring out there in the world, though I suppose neither of them looks particularly maintained. Any chance of getting CSP support in here?