Open capegreg opened 1 year ago
This is a cloudflare issue.
Thanks. The expect-ct header can be removed from this library by emailing Cloudflare support. I have switched my includes to using local build in lieu of cdnjs, so it's not an issue for me any longer.
bootstrap-datepicker should no longer include Expect-CT in response header.
https://cdnjs.cloudflare.com/ajax/libs/bootstrap-datepicker/1.9.0/js/bootstrap-datepicker.min.js
Reproduction:
Save html as test.html and open in Chrome browser.
Result:
Response Headers include expect-ct:
expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
Intent to Deprecate and Remove: Expect-CT https://groups.google.com/a/chromium.org/g/blink-dev/c/bGLVLwSKNJY/m/nbg4hWckAwAJ
"Expect-CT was designed to help transition to universal Certificate Transparency (CT) enforcement, by allowing high-value websites to opt in to CT enforcement/reporting for better security before CT enforcement was required (by Chrome) on all public websites. However, Expect-CT has now outlived its usefulness. Chrome requires CT on all public websites now, so there is no security value to Expect-CT anymore. Expect-CT was also designed to help site owners discover CT-related misconfigurations; however, now that CT is universally required, CT is generally configured in websites' certificates by certificate authorities and virtually never configured by individual site owners, thus Expect-CT has very limited value as a misconfiguration/debugging tool anymore either. No other browser has implemented Expect-CT so removing it is not an interoperability concern."
Deprecated: This feature is no longer recommended https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Expect-CT