-
New Feature
-
Resolution: Unresolved
-
Minor
-
None
-
None
-
None
-
-
Empty show more show less
The Cloud team has brought up the topic of Content Security Policy (CSP) to the architecture group.
See:
- https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
- section 1 at https://wiki.magnolia-cms.com/display/ARCHI/2018-07-12+CSP+headers%2C+HSTS%2C+Resurface+tab+sheet
In particular, CSP can be enabled either A. through HTTP headers on the response, or B. through meta tags in the page.
We generally think this is a project decision—that we don't need any default or preconfiguration in Magnolia Core—but were discussing how to address if a prospect is interested in, or enquires about it (what do we do for similar cases generally, e.g. CORS?)
A small "how-to" page describing the no-brainer filter configuration (see the AddHeadersFilter snippet), or how to add the meta tag to the site prototype could be considered. We don't need/want to re-explain what CSP is, the mozilla site is pretty good about it, and if users search for it, there's a good chance they read about it before.
And most of all, this is just a suggestion really, this should not generate too much work load. Feel free to:
- (de)prioritize
- tell me if this doesn't belong in docu
- bring up to PM
- and/or close as appropriate, whatever makes more sense really
- mentioned in
-
Page Loading...