tex: final CSP bits

2023-05-25 13:15:51 +02:00 · 2023-05-25 13:15:51 +02:00 · b029ddeede
parent 98fda96f9e
commit b029ddeede
1 changed files with 8 additions and 7 deletions
--- a/tex/text.tex
+++ b/tex/text.tex
@ -530,15 +530,16 @@ targeted and not overly broad. To give an example, a website that loads no
 JavaScript at all does not need to allow a popular CDN (Content Delivery
 Network) origin in its \texttt{script-src}, instead it should be set to
 \texttt{'none'}. CSP can also aid with clickjacking protection using its
-\texttt{frame-ancestors} directive, which could limit origins that could be
+\texttt{frame-ancestors} directive, which could limit origins that could embed
-embed the website, preventing attacker from embedding the website at random
+the website, preventing attacker from embedding the website at random places,
-places.
+that is malicious websites that masquerade as being legitimate.
 Getting CSP right can be tricky at first but once grokked, it is relatively
-straight-forward and can increase the security of the site greatly. There are
+straight-forward and can increase the security of the site greatly. While
-many more directives and settings than mentioned in this section, the author
+testing, it is best to enable CSP in the report-only mode before turning it on
-encourages anybody interested to give it a read, e.g.\ at
+in production. There are many more directives and settings than mentioned in
-\url{https://web.dev/csp/}.
+this section, the author encourages anybody interested to give it a read, e.g.\
 at \url{https://web.dev/csp/}.
 \n{2}{Summary}