Github user robertkowalski commented on a diff in the pull request:
https://github.com/apache/couchdb/pull/233#discussion_r12776633
--- Diff: src/couchdb/couch_httpd_misc_handlers.erl ---
@@ -79,6 +80,15 @@ handle_utils_dir_req(#httpd{method='GET'}=Req,
DocumentRoot) ->
handle_utils_dir_req(Req, _) ->
send_method_not_allowed(Req, "GET,HEAD").
+maybe_add_csp_headers(Headers, "false") ->
+ Headers;
+maybe_add_csp_headers(Headers, "true") ->
+ DefaultValues = "default-src 'self'; img-src *; font-src *; " ++
+ "script-src 'self' 'unsafe-eval'; style-src 'self'
'unsafe-inline';",
+ Value = couch_config:get("csp", "header_value", DefaultValues),
+ Headers ++ [{"Content-Security-Policy", Value}].
--- End diff --
I see the point to bring this feature even to users with old browsers, but
I have mixed feelings about that: the `Content-Security-Policy` header is
defined by a W3C Spec, the other headers not.
I am personally not a big fan of the other versions, especially the IE 8
and 9 one, as they are not a part of a spec and just used by special browsers.
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at [email protected] or file a JIRA ticket
with INFRA.
---
