You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hmm, thanks for reporting this. I've usually not wanted to implement too many of these kinds of behaviours into the library as these can change.
If this is implemented, I'd prefer an exception was thrown if both are defined.
If this is implemented, I'd prefer an exception was thrown if both are defined.
It's your call, but I'd vote for a more passive approach. Let's say that someone would like to enable this directive, but first play around in report only mode, as per the recommendation.
Then, in order not to get a runtime error, you'd have to comment out the directive call, or even delete it, if the company policy dictates that no "dead" code should exist.
Imagine then, that (much) later, someone else picks up the code, with the intention of going to live enforce mode. What's the odds for that person to remember, or even know, that the additional directive should be enabled at the same time?
If you have run both
csp.SetUpgradeInsecureRequests();
andcsp.SetReportOnly();
, a warning will be shown in the console of dev tools in the browser:I suggest to disable output of this directive when in "report only" mode, to avoid this warning.
The text was updated successfully, but these errors were encountered: