From 0802f82356299199b5329c8002fa32bfbafed281 Mon Sep 17 00:00:00 2001
From: Zeke Sikelianos <zeke@github.com>
Date: Tue, 19 Jun 2018 17:36:37 -0700
Subject: [PATCH] doc: add CSP examples (#13167)

* doc: add CSP examples

* Deafult to zero-permissions CSP
---
 docs/tutorial/security.md | 33 +++++++++++++++++++++++++++------
 1 file changed, 27 insertions(+), 6 deletions(-)

diff --git a/docs/tutorial/security.md b/docs/tutorial/security.md
index 451542151740..f737e5a0cb49 100644
--- a/docs/tutorial/security.md
+++ b/docs/tutorial/security.md
@@ -339,12 +339,7 @@ CSP allows the server serving content to restrict and control the resources
 Electron can load for that given web page. `https://your-page.com` should
 be allowed to load scripts from the origins you defined while scripts from
 `https://evil.attacker.com` should not be allowed to run. Defining a CSP is an
-easy way to improve your applications security.
-
-### How?
-
-Electron respects [the `Content-Security-Policy` HTTP header](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy)
-and the respective `<meta>` tag.
+easy way to improve your application's security.
 
 The following CSP will allow Electron to execute scripts from the current
 website and from `apis.mydomain.com`.
@@ -357,6 +352,32 @@ Content-Security-Policy: '*'
 Content-Security-Policy: script-src 'self' https://apis.mydomain.com
 ```
 
+### CSP HTTP Header
+
+Electron respects the [`Content-Security-Policy` HTTP header](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy)
+which can be set using Electron's 
+[`webRequest.onHeadersReceived`](../api/web-request.md#webrequestonheadersreceivedfilter-listener)
+handler:
+
+```javascript
+const {session} = require('electron')
+
+session.defaultSession.webRequest.onHeadersReceived((details, callback) => {
+  callback({responseHeaders: `default-src 'none'`})
+})
+```
+
+### CSP Meta Tag
+
+CSP's preferred delivery mechanism is an HTTP header. It can be useful, however, 
+to set a policy on a page directly in the markup using a `<meta>` tag:
+
+```html
+<meta http-equiv="Content-Security-Policy" content="default-src 'none'">
+```
+
+#### `webRequest.onHeadersReceived([filter, ]listener)`
+
 
 ## 7) Override and Disable `eval`