tighten CSP for blob/file host: remove allow-same-origin

2015-07-21 12:42:40 -05:00 · 2015-07-21 12:42:40 -05:00 · ea38f8233f
--- a/app/lib/blobs.js
+++ b/app/lib/blobs.js
@ -89,7 +89,7 @@ module.exports = function (sbot, checkout_dir) {
          "connect-src 'self'; "+
          "object-src 'none'; "+
          "frame-src 'none'; "+
-          "sandbox allow-same-origin allow-scripts"
+          "sandbox allow-scripts"
        )

        if (req.url.slice(-7) != '.sha256' && opts.serveFiles) {