This allows you to whitelist inline scripts by providing the hash values. There are some smarts here that will autoamtically compute hashes in dev/test and warn you if things are going to blow up.
A warning message is printed to the console if an unknown hash is mentioned.
* Chrome supports the X-Content-Type-Options header for a few use cases
(including not processing JavaScript for text/plain content types), so
send the X-Content-Type-Options header to Chrome users (fixes#53).
* Clean up HSTS tests to better match other header tests.
* Test X-XSS-Protection header on all browsers.
* Test X-Content-Type-Options header on both IE and Chrome.
* Two changes to X-Frame-Options, as per current spec draft
(https://tools.ietf.org/html/draft-ietf-websec-x-frame-options-02)
- Use 'X-Frame-Options' instead of 'X-FRAME-OPTIONS'
- Make the colon after X-Frame-Options: ALLOW-FROM optional
* Fix typo in README for 'widely supported' config
* Improve spec test descriptions
Nate Collings
Steve Agalloco
Neil Matatall
Neil Matatall
Reed Loden