docs: Clarifies CSP usage with file:// resources #14768
Conversation
|
💖 Thanks for opening this pull request! 💖 We use semantic commit messages to streamline the release process. Before your pull request can be merged, you should update your pull request title to start with a semantic prefix. Examples of commit messages with semantic prefixes:
Things that will help get your PR across the finish line:
We get a lot of pull requests on this repo, so please be patient and we will get back to you as soon as we can. |
| @@ -370,8 +370,7 @@ session.defaultSession.webRequest.onHeadersReceived((details, callback) => { | |||
|
|
|||
| ### CSP Meta Tag | |||
|
|
|||
| CSP's preferred delivery mechanism is an HTTP header. It can be useful, however, | |||
| to set a policy on a page directly in the markup using a `<meta>` tag: | |||
| CSP's preferred delivery mechanism is an HTTP header, however it is not possible to use this method when loading a resource using the `file://` protocol. It can be useful in some cases, such as using the `file://` protocol, to set a policy on a page directly in the markup using a `<meta>` tag: | |||
|
|
|||
There was a problem hiding this comment.
good stuff 👏
i think it's worth also noting a few other things:
- the example usage of
onHeadersReceived()is wrong - specifically the{ responseHeaders:default-src 'none'}format should be 👉 https://stackoverflow.com/a/52243138/579167 (i think?) - CSP headers only need to be set for
Content-Type: text/html(andapplication/xhtml+xmlandapplication/xml- anything that generates an interactive document) responses
There was a problem hiding this comment.
@slapbox agree with the above; if you could address these comments we can look to getting this merged!
There was a problem hiding this comment.
@codebytere @busticated thanks for your reviews. I'd be happy to update this, but because I've never actually set headers this way due to exclusive use of the file:// protocol in my projects, I'd be worried about updating the docs with inaccurate information. Can anyone confirm the below is accurate?
the example usage of onHeadersReceived() is wrong - specifically the { responseHeaders:default-src 'none'} format should be point_right https://stackoverflow.com/a/52243138/579167 (i think?)
There was a problem hiding this comment.
The other notes are additional to other chapters, and do not conflict with this PR which only adds new content to "CSP Meta Tag", please start a new PR to add new content.
|
Release Notes Persisted
|
|
Congrats on merging your first pull request! 🎉🎉🎉 |
Description of Change
Checklist
Release Notes
Notes: Previously it was not noted that the HTTP header method could not work with the file:// protocol.