From ea38f8233fac3ae354bcbbdcf7f37e3e905f15ee Mon Sep 17 00:00:00 2001
From: Paul Frazee <pfrazee@gmail.com>
Date: Tue, 21 Jul 2015 12:42:40 -0500
Subject: [PATCH] tighten CSP for blob/file host: remove allow-same-origin

---
 app/lib/blobs.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/app/lib/blobs.js b/app/lib/blobs.js
index 6566e20..1326290 100644
--- a/app/lib/blobs.js
+++ b/app/lib/blobs.js
@@ -89,7 +89,7 @@ module.exports = function (sbot, checkout_dir) {
           "connect-src 'self'; "+
           "object-src 'none'; "+
           "frame-src 'none'; "+
-          "sandbox allow-same-origin allow-scripts"
+          "sandbox allow-scripts"
         )
 
         if (req.url.slice(-7) != '.sha256' && opts.serveFiles) {