Apache CouchDB 1.6.0
Add Experimental Content-Security-Policy-Support (CSP) for Fauxton
Like every web application, Fauxton is vulnerable against XSS and
CSP is a technology that tries to help against that.
The patch makes it possible to enable CSP for the /_utils path and
allows configuration of the sent header.
The default setting for the value of the header breaks the old
Futon, when CSP is enabled there. The old Futon has alot of
inline-JavaScript which is not allowed in the setting I have
chosen as default.
For development, the header is also sent from the Node server
which launches Fauxton in dev-mode.
People can enable the feature by setting enable = true in the
section [csp] of their configs
2 files changed
