sbot/app/lib/files.js

var path = require('path')
var fs   = require('fs')

exports.server = function (req, res) {
  // function toBuffer() {
  //   return pull.map(function (s) { return Buffer.isBuffer(s) ? s : new Buffer(s, 'base64') })
  // }
  // local-host only
  if (req.socket.remoteAddress != '127.0.0.1' &&
      req.socket.remoteAddress != '::ffff:127.0.0.1' &&
      req.socket.remoteAddress != '::1') {
    console.log('Remote access attempted by', req.socket.remoteAddress)
    res.writeHead(403)
    return res.end('Remote access forbidden')
  }

  // restrict the CSP
  res.setHeader('Content-Security-Policy', 
    "default-src 'self' localhost:7777 'unsafe-inline' 'unsafe-eval' data:; "+
    "connect-src 'self'; "+
    "object-src 'none'; "+
    "frame-src 'none'; "+
    "sandbox allow-same-origin allow-scripts"
  )

  fs.createReadStream(req.url)
    .on('error', function () {
      res.writeHead(404)
      res.end('File not found')
    })
    .pipe(res)
}