What is the intended method for re-enabling the Content-Security-Policy header?

[jamieweb]

Currently the Content-Security-Policy header is disabled by default when crawling.

It's possible to re-enable it using the crawler configuration: jQuery: false

Is this the intended way to re-enable the CSP header? At the moment it seems to be a side-effect of the jQuery configuration, rather than the primary intended effect.

I think that something such as a csp: true|false configuration would be useful for this.

The reason I am asking is that my project travis-ci_csp-tester specifically requires the CSP to be enabled, and I want to ensure that the jQuery: false configuration is reliable.

Thank you.

[acdha]

@jamieweb Thanks for that post — having CSP disabled by default is not obvious from the documentation or the API guide.