Github user kxepal commented on a diff in the pull request:
https://github.com/apache/couchdb/pull/233#discussion_r12776692
--- Diff: src/couchdb/couch_httpd_misc_handlers.erl ---
@@ -79,6 +80,15 @@ handle_utils_dir_req(#httpd{method='GET'}=Req,
DocumentRoot) ->
handle_utils_dir_req(Req, _) ->
send_method_not_allowed(Req, "GET,HEAD").
+maybe_add_csp_headers(Headers, "false") ->
+ Headers;
+maybe_add_csp_headers(Headers, "true") ->
+ DefaultValues = "default-src 'self'; img-src *; font-src *; " ++
+ "script-src 'self' 'unsafe-eval'; style-src 'self'
'unsafe-inline';",
+ Value = couch_config:get("csp", "header_value", DefaultValues),
+ Headers ++ [{"Content-Security-Policy", Value}].
--- End diff --
Well, `X-Content-Security-Policy` was used during experimental period: so
can cover modern IEs and older browsers with no cost. As for `X-XSS-Protection`
you can say, that it's a part of `CSP 1.1` spec which by the way covers some
old browsers for today. In anyway, ignoring IE is hard since we're doing
Windows releases and it's still on the market (:
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at [email protected] or file a JIRA ticket
with INFRA.
---
