I've changed the code. From what I can see, the header is now only set
once per request. It could be there some exceptions to this, for
example when the request is restarted during rendering. IMHO that's
not a big issue, because the header is still added only once.
I've also added a demo-case to t
Hi Sven,
I've reread the spec a bit more precise last night. I think we can
change the code to only set the header on a RenderPageRequestHandler.
The CSP is taken from the page and applies to all resources loaded by
that page. The only exceptions are child-contexts: iframes, objects
and js-workers
Hi Emond,
for me setting the appropriate headers is part of rendering.
I've just tried setting HTTP CSP headers from
CSPNonceHeaderResponseDecorator, and that almost works (with minor
changes to HtmlHeaderContainer, which currently doesn't allow setting of
headers during rendering).
Before
On Thu, Mar 12, 2020 at 3:34 PM Martin Grigorov
wrote:
>
>
> On Thu, Mar 12, 2020 at 3:03 PM Emond Papegaaij
> wrote:
>
>> Hi Sven,
>>
>> Yes, you might be right. When rendering another page, normally the
>> header will be overridden when the second handler is resolved.
>> However, this will not
On Thu, Mar 12, 2020 at 3:03 PM Emond Papegaaij
wrote:
> Hi Sven,
>
> Yes, you might be right. When rendering another page, normally the
> header will be overridden when the second handler is resolved.
> However, this will not happen when the page is not protected
> (protectedPageFilter). Do you
Hi Sven,
Yes, you might be right. When rendering another page, normally the
header will be overridden when the second handler is resolved.
However, this will not happen when the page is not protected
(protectedPageFilter). Do you see a solution for this? Maybe recording
the desired action in the R
