Yes, the old format is needed since IE is still a thing unfortunately.
I made a note of it, so maybe I’ll add a switch for it so that users that don’t want support for IE can turn off x-content-security-policy. Would that be a good solution for you?
Sure, however “IE 10-11 support sandbox only” and older versions knows nothing about CSP headers:
https://caniuse.com/contentsecuritypolicy
Known issues tab:
Partial support in Internet Explorer 10-11 refers to the browser only supporting the ‘sandbox’ directive by using the X-Content-Security-Policy header.
My local IE11 testing:
Currently there are some “Refused to load image” errors in console for my local dev site in Chrome (just for testing) but loading the same site in IE11 there’s no CSP error at all, so I assume the x-content-security-policy header is useless.
You can comment out these in inc/set-cacsp.php just to try it out:
echo '<meta http-equiv="X-Content-Security-Policy" content="' . $contentSecurityPolicy . '">' . "\n";
header( "X-Content-Security-Policy: " . $contentSecurityPolicy );
I think the switch in the plugin settings you mentioned is a safe idea until it’s not clearly investigated. However based on the links I sent I’m still unsure if the X header does anything at all in IE? (With the same value and without that sandbox flag) If not (my vote), then it could be safely removed (and without the need for that switch).
Here’s another one:
https://security.stackexchange.com/questions/191455/whats-the-alternative-of-content-security-policy-csp-header-in-internet-explo
I remember adding it, to support old IE. But I’ll give it another debug when adding the switch.
@coderars In the new version released today there is a new option for disabling X-Content-Security-Policy. Thanks for your input!
If it’s not too much, please consider leaving a review. 🙂
Currently, I’m quite busy on other parts of my site but as soon as I turn back to well configure/customize this plugin I’ll write a detailed review I promise! 🙂
