Include X-WebKit-CSP in response for Safari
Closed this issue · 3 comments
Currently, only the final header Content-Security-Policy
is sent by django-csp. However, looking at http://caniuse.com/contentsecuritypolicy, it seems many current, and after that many slightly older browsers, still only support webkit's X-WebKit-CSP
form.
Although I can understand the argument that we should only be using the final Content-Security-Policy
, it would improve security for users to also include X-WebKit-CSP
, at least for some time to come. An alternative would be to make this an optional feature.
I'm happy to create a pull request for either option, but wanted to wait to see whether anyone agrees with me.
I'm happy to look at a patch, but since the content of this header can be pretty big, it needs to be at the least an opt-in thing and possibly change the header for Safari, instead of sending two copies of it.
Can you help us get this through, @jsocol?