Merge pull request #237 from eevans/csp-docs

content-security-policy headers breakage
wikimedia · Apr 25, 2015 · 955bc62 · 955bc62
2 parents 670f63a + 54d079f
commit 955bc62
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 2 deletions.
diff --git a/lib/server.js b/lib/server.js
@@ -43,8 +43,10 @@ function handleResponse (opts, req, resp, response) {
 
         if (!/^application\/json/.test(rh['content-type'])) {
             rh['X-XSS-Protection'] = '1; mode=block';
-            rh['Content-Security-Policy'] =
-                "default-src 'none'; media-src *; img-src *; style-src *; frame-ancestors 'self'";
+            if (!rh['Content-Security-Policy']) {
+                rh['Content-Security-Policy'] =
+                    "default-src 'none'; media-src *; img-src *; style-src *; frame-ancestors 'self'";
+            }
             // For IE 10 & 11
             rh['X-Content-Security-Policy'] = rh['Content-Security-Policy'];
             // For Chrome <= v25 (seems to be <1% traffic; should we still

diff --git a/lib/swaggerUI.js b/lib/swaggerUI.js
@@ -37,6 +37,7 @@ function staticServe (restbase, req) {
             status: 200,
             headers: {
                 'content-type': contentType,
+                'Content-Security-Policy': "default-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self'; font-src 'self';"
             },
             body: body
         });