|
|
@ -24,8 +24,8 @@ var fancyURL = function (domain, path) {
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
|
(function () {
|
|
|
|
(function () {
|
|
|
|
// you absolutely must provide an 'httpUnsafeOrigin'
|
|
|
|
// you absolutely must provide an 'httpUnsafeOrigin' (a truthy string)
|
|
|
|
if (typeof(Env.httpUnsafeOrigin) !== 'string') {
|
|
|
|
if (!Env.httpUnsafeOrigin || typeof(Env.httpUnsafeOrigin) !== 'string') {
|
|
|
|
throw new Error("No 'httpUnsafeOrigin' provided");
|
|
|
|
throw new Error("No 'httpUnsafeOrigin' provided");
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
@ -66,7 +66,7 @@ var setHeaders = (function () {
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// next define the base Content Security Policy (CSP) headers
|
|
|
|
// next define the base Content Security Policy (CSP) headers
|
|
|
|
if (typeof(config.contentSecurity) === 'string') { // XXX deprecate this
|
|
|
|
if (typeof(config.contentSecurity) === 'string') {
|
|
|
|
headers['Content-Security-Policy'] = config.contentSecurity;
|
|
|
|
headers['Content-Security-Policy'] = config.contentSecurity;
|
|
|
|
if (!/;$/.test(headers['Content-Security-Policy'])) { headers['Content-Security-Policy'] += ';' }
|
|
|
|
if (!/;$/.test(headers['Content-Security-Policy'])) { headers['Content-Security-Policy'] += ';' }
|
|
|
|
if (headers['Content-Security-Policy'].indexOf('frame-ancestors') === -1) {
|
|
|
|
if (headers['Content-Security-Policy'].indexOf('frame-ancestors') === -1) {
|
|
|
|