Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Feature: CSP should allow simultaneous `Content-Security-Policy-Report-Only` and `Content-Security-Policy-Report-Only`
See original GitHub issueCurrently an option exists to allow only reporting of violations:
options.reportOnlyis a boolean, defaulting tofalse. Iftrue, theContent-Security-Policy-Report-Onlyheader will be set instead.
But according to https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP#testing_your_policy it should be allowed to include both a Content-Security-Policy and Content-Security-Policy-Report-Only header.
Usage scenario Let’s say you have a current CSP policy, but want to evaluate a new, future policy. This means you want to continue using the one you already enforce, but at the same time evaluate the new one. Read more at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only
I think this in turn should remove options.reportOnly in a new major release. Users would instead get full functionality via:
app.use(
helmet.contentSecurityPolicy({
policy: {
directives: {
"script-src": ["'self'", "example.com"],
},
},
reportPolicy: {
directives: { // or reportPolicy
"script-src": ["'self'", "example.com", "lolcat.com"],
},
},
})
);
Unfortunately this means the top-level properties needs to be moved into a policy and reportPolicy property. This is to allow options such as options.useDefaults to be set per header.
Issue Analytics
- State:
- Created 2 years ago
- Comments:7 (3 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
@EvanHahn documentation it makes perfect sense, and I do think the workaround is good as-is. Thanks for a great project.
After some consideration, I don’t think I’m going to add this to Helmet for three reasons:
We’d have to document the new feature anyway. Why not just document the workaround instead? I’ve added a note to the documentation (see 7848f5aae059810e05147c5f4d4ae94a52f950c2) to make this more obvious for people in the future.
I’m going to close this issue because I think it’s resolved, but let me know if you disagree.