As a person concerned about security I want the Content-Security-Policy header to be set.
neissi opened this issue · comments
Background:
This header specifies from which sites resources can be downloaded (https://en.wikipedia.org/wiki/Content_Security_Policy).
This might for example help with some kind of injection attacks where some malicious JavaScript code is downloaded from an external site because of some formatting/escape problems.
There is a special report only option, which might be helpful to identify which external stuff we unknowingly depend on.
Content-Security-Policy-Report-Only: policy
Requirements:
When I open any user-agent URI
Then I get the Content-Security-Policy header as well as the Content-Security-Policy-Report-Only header
The same was implemented on #304
No more dispatcher means this issue doesn't make sense anymore right? Can we close it?