csp-builder
csp-builder copied to clipboard
paragonie
Build Content-Security-Policy headers from a JSON file (or build them programmatically)
 https://w3c.github.io/webappsec-trusted-types/dist/spec/#require-trusted-types-for-csp-directive
- https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-uri According to that this is no longer supported.
the json example in the readme has no `self` in various params but the json file from the tests does have these set. https://github.com/paragonie/csp-builder#example https://github.com/paragonie/csp-builder/blob/e9a7560fd3f133a85f03c51de5fc051ac97630a7/test/vectors/basic-csp.json for example i am guessing...
`Feature-Policy` is a new header that, in format, seems to look exactly like CSP. It uses a separate `Feature-Policy` HTTP header and instead of `script-src`, `img-src`, and so on as...
It would be nice if there was an option to generate the CSP headers in the .htaccess for Apache, removing the need to restart Apache after generating the script.
Older versions of iOS Safari (iOS 9 and earlier) don't understand CSP nonces. So when using nonces, if you want those browsers to work you have to add unsafe-inline as...
Hi there, First of all, thanks for this great component! We just had an issue with some `frame-src` directives that started to "mysteriously disappear". For example, we initialize a builder...
It appears that in CSPv3 report-uri is deprecated and replaced with report-to. Report-to looks like a more complicated way to specify types and endpoints. I can see in the code...
When building from aggregated violations, the list of allowed domains will contain many duplicate entries. This PR is the most simple fix to remove the duplication. Preferably, a `public function...
