Set stricter CSP header in redirect & error responses

HISTORY.md

@@ -1,3 +1,8 @@
+unreleased
+==========
+
+  * Set stricter CSP header in redirect & error responses
+
 0.17.0 / 2019-05-03
 ===================
 

index.js

@@ -288,7 +288,7 @@ SendStream.prototype.error = function error (status, err) {
   res.statusCode = status
   res.setHeader('Content-Type', 'text/html; charset=UTF-8')
   res.setHeader('Content-Length', Buffer.byteLength(doc))
-  res.setHeader('Content-Security-Policy', "default-src 'self'")
+  res.setHeader('Content-Security-Policy', "default-src 'none'")
   res.setHeader('X-Content-Type-Options', 'nosniff')
   res.end(doc)
 }
@@ -493,7 +493,7 @@ SendStream.prototype.redirect = function redirect (path) {
   res.statusCode = 301
   res.setHeader('Content-Type', 'text/html; charset=UTF-8')
   res.setHeader('Content-Length', Buffer.byteLength(doc))
-  res.setHeader('Content-Security-Policy', "default-src 'self'")
+  res.setHeader('Content-Security-Policy', "default-src 'none'")
   res.setHeader('X-Content-Type-Options', 'nosniff')
   res.setHeader('Location', loc)
   res.end(doc)

test/send.js

@@ -365,7 +365,7 @@ describe('send(file).pipe(res)', function () {
       request(createServer({ root: fixtures }))
         .get('/pets')
         .expect('Location', '/pets/')
-        .expect('Content-Security-Policy', "default-src 'self'")
+        .expect('Content-Security-Policy', "default-src 'none'")
         .expect(301, done)
     })
 
@@ -400,7 +400,7 @@ describe('send(file).pipe(res)', function () {
     it('should respond with default Content-Security-Policy', function (done) {
       request(createServer({ root: fixtures }))
         .get('/foobar')
-        .expect('Content-Security-Policy', "default-src 'self'")
+        .expect('Content-Security-Policy', "default-src 'none'")
         .expect(404, done)
     })