Credentials: I created the secure_headers library which essentially does the same thing. I also built the scala library in use at twitter today.
secure_headers used to have to_json
/from_json
functionality (pull request) but I removed it when I rewrote the library (for use at GitHub). This implementation would not be compatible with my implementation which was inspired by this proposal.
I think it would be better to collapse all directive source lists to a flat structure. i.e. instead of having sub elements for "allow" (an array), "self" (boolean), "unsafe-inline" (boolean), "unsafe-eval" (boolean), just have a directive accept an array containing those values. This model matches the spec more closely and in my experience just creates more confusion. While it does have the benefit of validation (against types like unsafe-inli