Content Security Policy and non-HTML resources

Thank you for a great framework!

I am curious as to why Content Security Policy middleware filters out all non-HTML resources before building the CSP header. From the source code it seems like its was clearly done for a reason, but I have trouble finding one.

I checked out W3C’s spec for CSP, and it states that a policy is applicable to a Document or a Worker, where Document can either have HTML or XML type (yet it still has a content_type attribute :thinking:). This could be implying that CSP is only applicable to HTML documents but I could be misinterpreting the specification.

The concern here is that when controller renders an application/pdf for example, frame-ancestors directive (as well as the whole CSP header) is stripped away, allowing foreign websites to <embed src="mydoc.pdf">. It does not seem like the security implications of that are severe (I’m not even sure what they are, except for the mere possibility of embedding my content into other websites), yet I’d prefer to have a uniform CSP across the board.

I am hoping that someone could clarify this behavior.