From 7bffc702034d3a85ae328c3122e7ef3c9546de3d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Maxime=20=E2=80=9Cpep=E2=80=9D=20Buquet?= <pep@bouah.net>
Date: Tue, 4 Jan 2022 14:44:12 +0100
Subject: [PATCH] XEP-0363: Servers may want to sign headers
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Maxime “pep” Buquet <pep@bouah.net>
---
 xep-0363.xml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/xep-0363.xml b/xep-0363.xml
index c3a165f0..f4e48919 100644
--- a/xep-0363.xml
+++ b/xep-0363.xml
@@ -354,6 +354,7 @@ Content-Security-Policy: default-src 'none'; frame-ancestors 'none';
 ]]></code>
   <p>The provided policy will prohibit a browser from executing all active content from the HTTP upload domain (<em>default-src 'none'</em>) and forbid embedding it from other pages (<em>frame-ancestors 'none'</em>). More information on Content-Security-Policy can be found on <link url="https://infosec.mozilla.org/guidelines/web_security#content-security-policy">infosec.mozilla.org</link>.</p>
   <p>Further isolation can be achieved by hosting those files on an entirely different domain instead of using subdomains.</p>
+  <p>Headers may be signed so that receiving HTTP entities can verify these haven't been tempered with by clients.</p>
   </section2>
   <section2 topic="Uploader" anchor="uploader">
     <ul>