| <? | |
| //CSP only works in modern browsers Chrome 25+, Firefox 23+, Safari 7+ | |
| $headerCSP = "Content-Security-Policy:". | |
| "connect-src 'self' ;". // XMLHttpRequest (AJAX request), WebSocket or EventSource. | |
| "default-src 'self';". // Default policy for loading html elements | |
| "frame-ancestors 'self' ;". //allow parent framing - this one blocks click jacking and ui redress | |
| "frame-src 'none';". // vaid sources for frames | |
| "media-src 'self' *.example.com;". // vaid sources for media (audio and video html tags src) | |
| "object-src 'none'; ". // valid object embed and applet tags src | |
| "report-uri https://example.com/violationReportForCSP.php;". //A URL that will get raw json data in post that lets you know what was violated and blocked |
It's not immediately obvious how to pull down the code for a PR and test it locally. But it's pretty easy. (This assumes you have a remote for the main repo named upstream.)
Getting the PR code
Make note of the PR number. For example, Rod's latest is PR #37: Psiphon-Labs/psiphon-tunnel-core#37
Fetch the PR's pseudo-branch (or bookmark or rev pointer whatever the word is), and give it a local branch name. Here we'll name it pr37:
$ git fetch upstream pull/37/head:pr37