Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

docs: Clarifies CSP usage with file:// resources #14768

Merged
merged 1 commit into from Nov 28, 2018
Merged

docs: Clarifies CSP usage with file:// resources #14768

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
6 changes: 4 additions & 2 deletions docs/tutorial/security.md
View file
Open in desktop
Expand Up @@ -374,8 +374,10 @@ session.defaultSession.webRequest.onHeadersReceived((details, callback) => {

### CSP Meta Tag

CSP's preferred delivery mechanism is an HTTP header. It can be useful, however,
to set a policy on a page directly in the markup using a `<meta>` tag:
CSP's preferred delivery mechanism is an HTTP header, however it is not possible
to use this method when loading a resource using the `file://` protocol. It can
be useful in some cases, such as using the `file://` protocol, to set a policy
on a page directly in the markup using a `<meta>` tag:

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

good stuff 👏

i think it's worth also noting a few other things:

  1. the example usage of onHeadersReceived() is wrong - specifically the { responseHeaders: default-src 'none' } format should be 👉 https://stackoverflow.com/a/52243138/579167 (i think?)
  2. CSP headers only need to be set for Content-Type: text/html (and application/xhtml+xml and application/xml - anything that generates an interactive document) responses

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@slapbox agree with the above; if you could address these comments we can look to getting this merged!

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@codebytere @busticated thanks for your reviews. I'd be happy to update this, but because I've never actually set headers this way due to exclusive use of the file:// protocol in my projects, I'd be worried about updating the docs with inaccurate information. Can anyone confirm the below is accurate?

the example usage of onHeadersReceived() is wrong - specifically the { responseHeaders:default-src 'none'} format should be point_right https://stackoverflow.com/a/52243138/579167 (i think?)

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The other notes are additional to other chapters, and do not conflict with this PR which only adds new content to "CSP Meta Tag", please start a new PR to add new content.

```html
<meta http-equiv="Content-Security-Policy" content="default-src 'none'">
Expand Down