tighten CSP for blob/file host: remove allow-same-origin

This commit is contained in:
Paul Frazee 2015-07-21 12:42:40 -05:00
parent 27a985a4bc
commit ea38f8233f

View File

@ -89,7 +89,7 @@ module.exports = function (sbot, checkout_dir) {
"connect-src 'self'; "+
"object-src 'none'; "+
"frame-src 'none'; "+
"sandbox allow-same-origin allow-scripts"
"sandbox allow-scripts"
)
if (req.url.slice(-7) != '.sha256' && opts.serveFiles) {