From 3cf09924aec87b7bd98876c54c19cd84d25d3213 Mon Sep 17 00:00:00 2001
From: ansuz <ansuz@transitiontech.ca>
Date: Fri, 28 Feb 2020 10:46:44 -0500
Subject: [PATCH] fix default CSP headers

---
 lib/defaults.js | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/lib/defaults.js b/lib/defaults.js
index fc807a2c7..6d8ec5e04 100644
--- a/lib/defaults.js
+++ b/lib/defaults.js
@@ -1,7 +1,9 @@
 var Default = module.exports;
 
 Default.commonCSP = function (domain) {
+    domain = ' ' + domain;
     // Content-Security-Policy
+
     return [
         "default-src 'none'",
         "style-src 'unsafe-inline' 'self' " + domain,
@@ -34,11 +36,11 @@ Default.commonCSP = function (domain) {
 };
 
 Default.contentSecurity = function (domain) {
-    return Default.commonCSP(domain).join('; ') + "script-src 'self'" + domain;
+    return (Default.commonCSP(domain).join('; ') + "script-src 'self' " + domain).replace(/\s+/g, ' ');
 };
 
 Default.padContentSecurity = function (domain) {
-    return Default.commonCSP(domain).join('; ') + "script-src 'self' 'unsafe-eval' 'unsafe-inline'" + domain;
+    return (Default.commonCSP(domain).join('; ') + "script-src 'self' 'unsafe-eval' 'unsafe-inline' " + domain).replace(/\s+/g, ' ');
 };
 
 Default.httpHeaders = function () {