Send the appropriate headers as expected by misc-server tests #184
Conversation
|
Could you also add some documentation to misc-server about places to update if we want to add more headers? |
|
I've sent whatwg/misc-server#148 to delete the old configuration. But there is no central place of headers, just individual places for marquee, isindex and now this repo. Do you want me to link them all together? |
|
At least some pointer from misc-server to here so it's clear it's now a multi-repo situation. |
|
I've rolled that into whatwg/misc-server#148. |
There does not appear to be a way to configure DigitalOcean Apps to always sent some headers (other than CORS) so built it into the app directly.
| // in https://github.com/whatwg/misc-server. | ||
| ctx.set("Strict-Transport-Security", "max-age=63072000; includeSubDomains; preload"); | ||
| ctx.set("X-Content-Type-Options", "nosniff"); | ||
| ctx.set("X-Frame-Options", "deny"); |
There was a problem hiding this comment.
Do we want to avoid setting this on non-HTML responses, where it has no impact? You could check if (ctx.type.startsWith("text/html"))
There was a problem hiding this comment.
It will have impact, no? Otherwise those responses could be framed.
There was a problem hiding this comment.
For the misc-server configs we send it unconditionally. If it's merely a no-op for some kinds of responses, isn't that fine?
There was a problem hiding this comment.
True, I guess I meant, where it's not needed.
There was a problem hiding this comment.
Old somewhat-similar discussion seems to have concluded in favor of using headers more often than not: whatwg/misc-server#90
Co-authored-by: Domenic Denicola <[email protected]>
There does not appear to be a way to configure DigitalOcean Apps to
always sent some headers (other than CORS) so built it into the app
directly.