fix: csp directive with wildcard (#202)

nftstorage · Dec 8, 2022 · 78b8255 · 78b8255
1 parent f5e5009
commit 78b8255
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 2 deletions.
diff --git a/packages/edge-gateway/src/gateway.js b/packages/edge-gateway/src/gateway.js
@@ -57,7 +57,7 @@ function getTransformedResponseWithCspHeaders(response) {
 
   clonedResponse.headers.set(
     'content-security-policy',
-    "default-src 'self' 'unsafe-inline' 'unsafe-eval' blob: data: https://*.w3s.link/* https://*.nftstorage.link/* https://*.dweb.link/* https://ipfs.io/ipfs/* https://*.githubusercontent.com; form-action 'self' ; navigate-to 'self'; connect-src 'self' blob: data: https://*.w3s.link/* https://*.nftstorage.link/* https://*.dweb.link/* https://ipfs.io/ipfs/* https://polygon-rpc.com https://rpc.testnet.fantom.network "
+    "default-src 'self' 'unsafe-inline' 'unsafe-eval' blob: data: https://*.w3s.link https://*.nftstorage.link https://*.dweb.link https://ipfs.io/ipfs/ https://*.githubusercontent.com; form-action 'self'; navigate-to 'self'; connect-src 'self' blob: data: https://*.w3s.link https://*.nftstorage.link https://*.dweb.link https://ipfs.io/ipfs/ https://polygon-rpc.com https://rpc.testnet.fantom.network"
   )
 
   return clonedResponse

diff --git a/packages/edge-gateway/test/index.spec.js b/packages/edge-gateway/test/index.spec.js
@@ -20,7 +20,7 @@ test('Gets content from binding', async (t) => {
   const csp = response.headers.get('content-security-policy') || ''
   t.true(csp.includes("default-src 'self' 'unsafe-inline' 'unsafe-eval'"))
   t.true(csp.includes('blob: data'))
-  t.true(csp.includes("form-action 'self' ; navigate-to 'self';"))
+  t.true(csp.includes("form-action 'self'; navigate-to 'self';"))
 })
 
 test('Gets content with no csp header when goodbits csp bypass tag exists', async (t) => {