oschaaf commented on issue #1758: ModPagespeedHonorCsp ignores that unsafe-eval is not an allowed script source URL: https://github.com/apache/incubator-pagespeed-mod/issues/1758#issuecomment-371303748 Another thought -- would it make sense to make header reading more configurable per header-type? e.g.: ``` ModPagespeedReadResponseHeaderPhase HeaderName Phase [optional RestrictiveUrlWildCard] ``` Where `Phase` would be one of `default` or `final`. Not sure I like the proposed option name and phase names here, but I wonder what the thoughts are about the general idea of delegating responsibility to configuration here. (Internally, we could still consider defaulting the phase to `final` for `Content-Security-Policy` when respecting it is enabled, and no explicit directives are set). Implementing the new phase for header capturing (`final`) would be pretty generic and require a similar hook in all ports, I think, though I feel some more thought may be needed to get consistent behavior across html and resource responses when doing this.
---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services
