Aidan Woods

Although this method wouldn't be entirely consistent with the approach I gave [here](https://github.com/jgm/CommonMark/issues/460#issuecomment-293715367) I think it should probably work almost identically – seeing as blocks like lists are allowed to...

It occurs to me that the simplest (and correct) solution is to just check whether an unclosed `

Usually something like this would be set on the request made by the client (rather than the response from your app), is that correct in this instance? SecureHeaders *shouldn't* be...

Have you got an example of a request that succeeds for comparison?

Quick look (I am on mobile though) does look like these are the same. Do you by any chance have error reporting (in PHP) turned on. I've noticed you have...

SecureHeaders will try to protect some cookies automatically as documented in [auto#auto_cookie_httponly](https://github.com/aidantwoods/SecureHeaders/wiki/auto#auto_cookie_httponly) and [protectedCookie](https://github.com/aidantwoods/SecureHeaders/wiki/protectedCookie). This is tuneable, but from a quick check of the source code in this package I...

They're for using inline scripts with CSP, or more recently assigning trust to a script that can load other scripts (in combination with `'strict-dynamic'`). https://scotthelme.co.uk/csp-cheat-sheet/#nonces https://github.com/aidantwoods/SecureHeaders/wiki/cspNonce

> [...] I think your PR is a good start and by moving the new bits around the suggestion of @keradus could be done. WDYT? Sounds good – I wasn't...

> About the test, half fail because only half runs, which makes sense as you're fixer only works on PHP 7 (+) ;) Ah yes, this makes sense now 😉...

> > It does this already (via default false option on the 'relocate_to') though it's probably clearer to do this via a separate fixer > > ah yes, you already...