|Issue 160081||Add unprefixed support for the "Content-Security-Policy" header|
|Starred by 2 users||Project Member Reported by firstname.lastname@example.org, Nov 8 2012||Back to list|
Sign in to add a comment
(See http://goto.google.com/owp-launch-guide for an overview) *High-level description of the change (1-2 sentences):* Content Security Policy is a mechanism web applications can use to mitigate a broad class of content injection vulnerabilities, such as cross-site scripting (XSS). Content Security Policy is a declarative policy that lets the authors (or server administrators) of a web application restrict from where the application can load resources. The Content-Security-Policy header field is the preferred mechanism for delivering a CSP policy. Upon receiving an HTTP response containing at least one Content-Security-Policy header field, the user agent must enforce each of the policies contained in each such header field. *Listing of additions/modifications/changes to API surface (bullet points):* Move to Content-Security-Policy from X-WebKit-CSP --------- Additional context (fill in as much as you can, or link to a prior API launch bug with the context): *Link to relevant webkit or crbug:* https://bugs.webkit.org/show_bug.cgi?id=96765 *Link to relevant public standards discussion:* http://www.w3.org/TR/CSP/ http://lists.w3.org/Archives/Public/public-webappsec/2012Aug/0007.html *Support in other browsers (current and expected):* Internet Explorer: partial support in 10 Firefox: prefixed support since 15 Safari: prefixed support since 5.0 Opera: no support http://caniuse.com/#feat=contentsecuritypolicy Make sure to fill in any labels with a -?. Feel free to leave other labels at the defaults.
Nov 25 2012,
Mike's H5R announcement post: http://updates.html5rocks.com/2012/11/Content-Security-Policy-1-0-is-officially-awesome
Jan 4 2013,
Jan 5 2013,
Not sure why OS-iOS was added; we don't control how UIWebView interprets headers for JS purposes. Did someone add code that rewrites the headers on iOS so that UIWebView gets the prefixed header if the server sends the unprefixed version?
Jan 7 2013,
Thanks for your comment. I'm removing OS-iOS for now. Feel free to add it back if appropriate!
Jan 24 2013,
Mar 9 2013,
Mar 9 2013,
Mar 12 2013,
Does WebView on Android support CSP?
|► Sign in to add a comment|