somewhat stricter httpUnsafeOrigin validation

pull/1/head
ansuz 4 years ago
parent dc091b81c7
commit 942a136886

@ -24,8 +24,8 @@ var fancyURL = function (domain, path) {
};
(function () {
// you absolutely must provide an 'httpUnsafeOrigin'
if (typeof(Env.httpUnsafeOrigin) !== 'string') {
// you absolutely must provide an 'httpUnsafeOrigin' (a truthy string)
if (!Env.httpUnsafeOrigin || typeof(Env.httpUnsafeOrigin) !== 'string') {
throw new Error("No 'httpUnsafeOrigin' provided");
}
@ -66,7 +66,7 @@ var setHeaders = (function () {
}
// next define the base Content Security Policy (CSP) headers
if (typeof(config.contentSecurity) === 'string') { // XXX deprecate this
if (typeof(config.contentSecurity) === 'string') {
headers['Content-Security-Policy'] = config.contentSecurity;
if (!/;$/.test(headers['Content-Security-Policy'])) { headers['Content-Security-Policy'] += ';' }
if (headers['Content-Security-Policy'].indexOf('frame-ancestors') === -1) {

Loading…
Cancel
Save