fix(server): Add a 'connect-src' directive to allow contact with the …

…auth-server and oauth-server fixes #1253
mozilla · Jun 18, 2014 · 28d9a90 · 28d9a90
1 parent a13a8eb
commit 28d9a90
Showing 1 changed file with 4 additions and 0 deletions.
diff --git a/server/bin/fxa-content-server.js b/server/bin/fxa-content-server.js
@@ -70,6 +70,10 @@ function makeApp() {
   app.use(helmet.hsts(config.get('hsts_max_age'), true));
   if (config.get('env') === 'development') {
     app.use(helmet.csp({'default-src': ['\'self\''],
+                        'connect-src': ['\'self\'',
+                              config.get('fxaccount_url'),
+                              config.get('oauth_url')
+                        ],
                         'report-uri': '/_/csp-violation',
                         'reportOnly': true
                        }));