Unless I'm mistaken, the current DSL for managing the Content Security Policy doesn't appear to support producing both headers at the same time. I believe earlier CSP specifications, if both headers were present, instructed the user agent to ignore the report-only policy. This is no longer the case with the CSP2 recommendation, https://www.w3.org/TR/CSP2/#processing-model, as it's a great way to test and migrate towards a stricter policy.
A server MAY cause user agents to monitor one policy while enforcing > another policy by returning both Content-Security-Policy > <https://www.w3.org/TR/CSP2/#content_security_policy> and > Content-Security-Policy-Report-Only > <https://www.w3.org/TR/CSP2/#content_security_policy_report_only> header > fields. For example, if a server operator may wish to enforce > <https://www.w3.org/TR/CSP2/#enforce> one policy but experiment with a > stricter policy, she can monitor the stricter policy while enforcing the > original policy. Once the server operator is satisfied that the stricter > policy does not break the web application, the server operator can start > enforcing the stricter policy. > I understand the behaviour of the *content_security_policy_report_only* configuration is to switch the policy to the report-only header. I'd like to attempt some work to update the DSL to accommodate the definition of both policies side-by-side. Is there community support for this? I acknowledge I could achieve what I want via custom headers (with an already serialised value), but I'd like to see the DSL be of greater use. -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To unsubscribe from this group and stop receiving emails from it, send an email to rubyonrails-core+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/rubyonrails-core/6823161a-0ba3-4fdd-a3d8-212a206d66b7%40googlegroups.com.
