New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
docs: Clarifies CSP usage with file:// resources #14768
Conversation
💖 Thanks for opening this pull request! 💖 We use semantic commit messages to streamline the release process. Before your pull request can be merged, you should update your pull request title to start with a semantic prefix. Examples of commit messages with semantic prefixes:
Things that will help get your PR across the finish line:
We get a lot of pull requests on this repo, so please be patient and we will get back to you as soon as we can. |
@@ -370,8 +370,7 @@ session.defaultSession.webRequest.onHeadersReceived((details, callback) => { | |||
|
|||
### CSP Meta Tag | |||
|
|||
CSP's preferred delivery mechanism is an HTTP header. It can be useful, however, | |||
to set a policy on a page directly in the markup using a `<meta>` tag: | |||
CSP's preferred delivery mechanism is an HTTP header, however it is not possible to use this method when loading a resource using the `file://` protocol. It can be useful in some cases, such as using the `file://` protocol, to set a policy on a page directly in the markup using a `<meta>` tag: | |||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
good stuff 👏
i think it's worth also noting a few other things:
- the example usage of
onHeadersReceived()
is wrong - specifically the{ responseHeaders:
default-src 'none'}
format should be 👉 https://stackoverflow.com/a/52243138/579167 (i think?) - CSP headers only need to be set for
Content-Type: text/html
(andapplication/xhtml+xml
andapplication/xml
- anything that generates an interactive document) responses
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@slapbox agree with the above; if you could address these comments we can look to getting this merged!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@codebytere @busticated thanks for your reviews. I'd be happy to update this, but because I've never actually set headers this way due to exclusive use of the file://
protocol in my projects, I'd be worried about updating the docs with inaccurate information. Can anyone confirm the below is accurate?
the example usage of onHeadersReceived() is wrong - specifically the { responseHeaders:default-src 'none'} format should be point_right https://stackoverflow.com/a/52243138/579167 (i think?)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The other notes are additional to other chapters, and do not conflict with this PR which only adds new content to "CSP Meta Tag", please start a new PR to add new content.
Release Notes Persisted
|
Congrats on merging your first pull request! 🎉🎉🎉 |
Description of Change
Checklist
Release Notes
Notes: Previously it was not noted that the HTTP header method could not work with the file:// protocol.