Edgewall Software

Changes between Initial Version and Version 2 of Ticket #12964


Ignore:
Timestamp:
Apr 8, 2018, 12:38:13 AM (4 years ago)
Author:
Ryan J Ollos
Comment:

Do we want to configure any default values for [http-headers]? Is the following suggested?:

[http-headers]
Content-Security-Policy = frame-ancestors 'self'; default-src 'none'; img-src 'self'; script-src 'self'; style-src 'self'; base-uri 'self'
Referrer-Policy = same-origin
X-Frame-Options = SAMEORIGIN
X-Content-Type-Options = nosniff
X-XSS-Protection = 1; mode=block

Legend:

Unmodified
Added
Removed
Modified
  • Ticket #12964

    • Property Owner set to Ryan J Ollos
    • Property Status newassigned
  • Ticket #12964 – Description

    initial v2  
    11Discused in gmessage:trac-dev:gDPzxZEo8v0/VMPI57jNCQAJ.
     2
     3
     41. Check whether http header name is valid like `[trac] xsendfile_header option`.
     51. Check whether http header value is valid (the value cannot contain control characters except TAB and SPACE).
     61. Ignore some headers, e.g. `Content-Type`, `Content-Length`, `Location`, `ETag`, `Pragma`, `Cache-Control`, `Expires`.
     71. Send configured headers for all send_* methods included send_error().
  • Ticket #12964 – Release Notes

    initial v2  
     1Request headers are configurable through the `[http-headers]` section of trac.ini.