mozilla/django-csp

Include X-WebKit-CSP in response for Safari

Closed this issue · 3 comments

Currently, only the final header Content-Security-Policy is sent by django-csp. However, looking at http://caniuse.com/contentsecuritypolicy, it seems many current, and after that many slightly older browsers, still only support webkit's X-WebKit-CSP form.

Although I can understand the argument that we should only be using the final Content-Security-Policy, it would improve security for users to also include X-WebKit-CSP, at least for some time to come. An alternative would be to make this an optional feature.

I'm happy to create a pull request for either option, but wanted to wait to see whether anyone agrees with me.

I'm happy to look at a patch, but since the content of this header can be pretty big, it needs to be at the least an opt-in thing and possibly change the header for Safari, instead of sending two copies of it.

Can you help us get this through, @jsocol?

Yep, closing this in favor of #35.