Add support for Report-Only header about hood HOT 9 CLOSED

Note: I'm happy to do the PR to implement this, just not sure what the API should work/look like :)

from hood.

Hmmm yea. The only difference is the header, correct? If so, this can currently be done by providing a headers array of Report-Only header. However, that's no fun.

I see in the docs you can also include multiple Report-Only headers.

So, what if it were simply a boolean on the object. If you want a normal policy and a report-only policy, call csp twice?

app.use(hood.csp({
  policy: {
    'default-src': ['self', 'unsafe-inline']
  }
});
app.use(hood.csp({
  policy: {
    'default-src': 'self'
  },
  reportOnly: true
});

// shortcut could include a 2nd boolean argument?
hood.csp(policyStr, isReportOnly);

I can implement this pretty quickly today.

from hood.

Ahhh, that's pretty clever. Yeah, I think that'd work great!

from hood.

alright, added that. will publish v0.2.0 today.

from hood.

Beautiful, thanks!

Question about the patch; is there a reason to not send the corresponding X-Content-Security-Policy-Report-Only and X-Webkit-CSP-Report-Only headers?

from hood.

Ah, I didn't notice them when looking at the docs, so I just assumed Report-Only emerged once the X- had been dropped. Are the X- versions useful as well?

from hood.

It'd be nice to be able to test policies before turning them on in production, and Report-Only is definitely the best way to do that. Safari only supports the X-Webkit-CSP header and Firefox < v23 is still 10% of visits to webmaker.org.

I think that so long as the default for hood to send the standard and non-standard policy headers, it should also send the standard and non-standard report-only headers.

That being said, let me install an older version of Firefox and make sure that the non-standard report-only headers work properly :)

from hood.

ok, i'll add them in

from hood.

done, in v0.2.1!

from hood.