fix default CSP headers

2020-02-28 10:46:44 -05:00 · 2020-02-28 10:46:44 -05:00 · 3cf09924ae
parent 8d509fd6d5
commit 3cf09924ae
1 changed files with 4 additions and 2 deletions
--- a/lib/defaults.js
+++ b/lib/defaults.js
@ -1,7 +1,9 @@
 var Default = module.exports;

 Default.commonCSP = function (domain) {
+    domain = ' ' + domain;
    // Content-Security-Policy
+
    return [
        "default-src 'none'",
        "style-src 'unsafe-inline' 'self' " + domain,
@ -34,11 +36,11 @@ Default.commonCSP = function (domain) {
 };

 Default.contentSecurity = function (domain) {
-    return Default.commonCSP(domain).join('; ') + "script-src 'self'" + domain;
+    return (Default.commonCSP(domain).join('; ') + "script-src 'self' " + domain).replace(/\s+/g, ' ');
 };

 Default.padContentSecurity = function (domain) {
-    return Default.commonCSP(domain).join('; ') + "script-src 'self' 'unsafe-eval' 'unsafe-inline'" + domain;
+    return (Default.commonCSP(domain).join('; ') + "script-src 'self' 'unsafe-eval' 'unsafe-inline' " + domain).replace(/\s+/g, ' ');
 };

 Default.httpHeaders = function () {