https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20397 --- Comment #4 from David Cook <dcook@prosentient.com.au> --- (In reply to Benjamin Daeuber from comment #2)
We're currently experimenting with this in response headers in Apache, though part of the struggle is getting a hold on the variety of resources we're currently loading. Paypal, cover images, analytics scripts, enhanced content, jquery libraries, etc, etc.
To start, we could use this example: "# Don't implement the above policy yet; instead just report violations that would have occurred Content-Security-Policy-Report-Only: default-src https:; report-uri /csp-violation-report-endpoint/" That might help us build up a good list?
Is the thought to do this with meta tags or using response headers?
It seems like a response header is preferred? -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.