Impossible to disable sandbox for CSP header in IE about helmet HOT 8 CLOSED

If you want no CSP, you don't need to include the middleware. Is there a reason why you want this middleware if it's empty?

from helmet.

We're using other directives other than the sandbox attribute. This was just to show that sandbox is always added.
You'll have the same problem if you have a config with script-src and others.

from helmet.

This brings up a good question about what to do on IE. We've got a few options:

1. Leave things as is, which @ibash points out has some undesirable behavior.
2. If you don't supply a sandbox attribute, the header will be useless on IE (and might as well be removed), but won't break IE. We could remove it or include it, it doesn't matter much.
3. If you don't specify sandbox, try to guess it for IE (and be liberal with what you allow). For example, if your script-src is none, then you shouldn't allow-scripts in the sandbox. To reiterate, this should only happen if (1) you're on IE (2) you didn't specify the sandbox directive.

I feel like the last option is probably what people want, but it has the potential to be buggy and introduce errant behavior. I think option 2 is probably the best.

Thoughts?

@ibash, for now, you can probably do something like this:

app.use(helmet.csp({
  sandbox: ['allow-forms']
})

from helmet.

I say ditto on option 2. Since csp is still relatively new I think it makes more sense to let users make the judgement call as to what happens (by making it more configurable).

With some good documentation that shouldn't be a problem, want me to write up a pull request?

On Fri, Apr 25, 2014 at 2:35 PM, Evan Hahn [email protected]
wrote:

This brings up a good question about what to do on IE. We've got a few options:

1. Leave things as is, which @ibash points out has some undesirable behavior.
2. If you don't supply a sandbox attribute, the header will be useless on IE (and might as well be removed), but won't break IE. We could remove it or include it, it doesn't matter much.
3. If you don't specify sandbox, try to guess it for IE (and be liberal with what you allow). For example, if your script-src is none, then you shouldn't allow-scripts in the sandbox. To reiterate, this should only happen if (1) you're on IE (2) you didn't specify the sandbox directive.
   I feel like the last option is probably what people want, but it has the potential to be buggy and introduce errant behavior. I think option 2 is probably the best.

Thoughts?

Reply to this email directly or view it on GitHub:
#42 (comment)

from helmet.

Sure! I'd imagine the PR is just removing the code that always adds sandbox to IE.

from helmet.

@EvanHahn pull request attached, take a look and let me know what you think.

from helmet.

Closing this; let's move discussion to the PR.

from helmet.

Okay -- as a side note another common practice is to leave issues open until they're fixed by a commit message: i.e. "fixes #42"

from helmet.