You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository was archived by the owner on Aug 3, 2020. It is now read-only.
I plan to remove browser sniffing from the next major version of helmet-csp.
Different browsers have different support for Content Security Policies. Some only support certain directives, where some have different headers (like X-Webkit-CSP). Currently, this module sniffs the browser's User-Agent to figure out what headers to set. However, I'm planning to remove this from the next major version.
My reasons:
Browser sniffing has been the source of many bugs due to its complexity.
Browser sniffing makes this module difficult for me to maintain confidently.
Modern browsers' CSP implementations are fairly stable, and user share of old browsers is dropping. That makes browser sniffing less useful.
Content Security Policies are typically used as defense-in-depth rather than the first line of defense against attacks. For example, you should probably sanitize user input and not rely on CSP.
Parsing and switching on the User-Agent is slower and uses more memory.
I opened this issue to track the work, but mostly to solicit feedback. If you rely on browser sniffing and would be sad to see it go, or if you have other thoughts, let me know!
I plan to remove browser sniffing from the next major version of
helmet-csp.Different browsers have different support for Content Security Policies. Some only support certain directives, where some have different headers (like
X-Webkit-CSP). Currently, this module sniffs the browser'sUser-Agentto figure out what headers to set. However, I'm planning to remove this from the next major version.My reasons:
User-Agentis slower and uses more memory.I opened this issue to track the work, but mostly to solicit feedback. If you rely on browser sniffing and would be sad to see it go, or if you have other thoughts, let me know!