The Cloud team has brought up the topic of Content Security Policy (CSP) to the architecture group.

See:

• https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
• section 1 at https://wiki.magnolia-cms.com/display/ARCHI/2018-07-12+CSP+headers%2C+HSTS%2C+Resurface+tab+sheet

In particular, CSP can be enabled either A. through HTTP headers on the response, or B. through meta tags in the page.

We generally think this is a project decision—that we don't need any default or preconfiguration in Magnolia Core—but were discussing how to address if a prospect is interested in, or enquires about it (what do we do for similar cases generally, e.g. CORS?)

A small "how-to" page describing the no-brainer filter configuration (see the AddHeadersFilter snippet), or how to add the meta tag to the site prototype could be considered. We don't need/want to re-explain what CSP is, the mozilla site is pretty good about it, and if users search for it, there's a good chance they read about it before.

And most of all, this is just a suggestion really, this should not generate too much work load. Feel free to:

• (de)prioritize
• tell me if this doesn't belong in docu
• bring up to PM
• and/or close as appropriate, whatever makes more sense really