- 🇨🇦Canada gapple
Created 🐛 Preserve 'report-sample' if directive contains 'none' Active and 📌 Throw deprecation warning if directive contains 'none' and other values Active to improve behaviour in 8.x-1.x and prepare for changing in 2.0.
----
I think it's better to let browser decide how to interpret the sources in the list, it will do it in comply with the CSP spec.
The module has a broad audience of users, many who aren't familiar with the CSP spec and how it's interpreted by browsers, and has to support a mix of static and dynamic configuration.
One of the goals of processing the policy before it's output is to best align the header value with what is interpreted by the browser so that issues with configuration or how it's altered by modules installed on a site can more easily be reviewed and remedied. Though the current behaviour is different from the spec, it is at least clear from the output what the browser's behaviour will be, and a user can look up why certain values are not being included and alter the policy if necessary.
Version 2.0 will alter the behaviour to align with the spec, but continue to cleanup directives (in this case, removing'none'if other sources are included). - Status changed to Fixed
about 1 year ago 2:05am 19 January 2024 Automatically closed - issue fixed for 2 weeks with no activity.