X-Content-Security-Policy no longer needed

  • Resolved emachuca

    (@emachuca)


    1 year, 10 months ago

    Hola, thanks for the plugin.

    Just wanted to point out that according to developers dot mozilla dot org, in the Content Securty Policy page, it says that x-content-security-policy is no longer needed, only content-security-policy.

    “To enable CSP, you need to configure your web server to return the?Content-Security-Policy?HTTP header. (Sometimes you may see mentions of the?X-Content-Security-Policy?header, but that’s an older version and you don’t need to specify it anymore.)

    Your plugin generates two identical directives under both headers, and the x-content-security-policy output should be removed.

    Hope this is useful.

    Saludos,

Viewing 1 replies (of 1 total)
  • Plugin Author Kevin Pirnie

    (@kevp75)

    @emachuca

    I check the security sites on a monthly basis, and X-Content-Security-Policy will not be removed any time soon.

    Once we can 100% guarantee that nobody is using outdated web browsers, it will stay. As a for-instance… 2 doctor offices I frequent still use Windows XP, along with my local hospitals.

    As I am sure you are aware, Win XP is quite old, and uses very old web browsers, which do in fact still need the “X” headers.

    Thank you for your opinion tho.

Viewing 1 replies (of 1 total)
  • The topic ‘X-Content-Security-Policy no longer needed’ is closed to new replies.