All the directives currently under consideration for CSP level 3. w3c.github.io/webappsec/specs/CSP2/
Think of default-src and report-uri as the beginning and end respectively, everything else is in between.
leftover deprecated values that will be in common use upon upgrading.
These are directives that take a source list, but that do not inherit the default-src value.
These are directives that don't have use a source list, and hence do not inherit the default-src value.
# File lib/secure_headers/headers/policy_management.rb, line 4 def self.included(base) base.extend(ClassMethods) end