oschaaf commented on issue #1758: ModPagespeedHonorCsp ignores that unsafe-eval 
is not an allowed script source
URL: 
https://github.com/apache/incubator-pagespeed-mod/issues/1758#issuecomment-371303748
 
 
   Another thought -- would it make sense to make header reading more 
configurable per header-type? e.g.:
   
   ```
   ModPagespeedReadResponseHeaderPhase HeaderName Phase [optional 
RestrictiveUrlWildCard]
   ```
   
   Where `Phase` would be one of `default` or `final`. Not sure I like the
   proposed option name and phase names here, but I wonder what the thoughts
   are about the general idea of delegating responsibility to configuration 
here.
   
   (Internally, we could still consider defaulting the phase to `final` for 
`Content-Security-Policy` when 
   respecting it is enabled, and no explicit directives are set).
   
   Implementing the new phase for header capturing (`final`) would be pretty 
generic and require a similar
   hook in all ports, I think, though I feel some more thought may be needed to 
get consistent behavior across html and resource responses when doing this.

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


With regards,
Apache Git Services

Reply via email to