Set stricter CSP header in redirect response

expressjs · May 11, 2019 · ab7cc3c · ab7cc3c
1 parent 8abdc49
commit ab7cc3c
Show file tree

Hide file tree

Showing 3 changed files with 3 additions and 2 deletions.
diff --git a/HISTORY.md b/HISTORY.md
@@ -1,6 +1,7 @@
 unreleased
 ==========
 
+  * Set stricter CSP header in redirect response
   * deps: [email protected]
     - deps: range-parser@~1.2.1
 

diff --git a/index.js b/index.js
@@ -202,7 +202,7 @@ function createRedirectDirectoryListener () {
     res.statusCode = 301
     res.setHeader('Content-Type', 'text/html; charset=UTF-8')
     res.setHeader('Content-Length', Buffer.byteLength(doc))
-    res.setHeader('Content-Security-Policy', "default-src 'self'")
+    res.setHeader('Content-Security-Policy', "default-src 'none'")
     res.setHeader('X-Content-Type-Options', 'nosniff')
     res.setHeader('Location', loc)
     res.end(doc)

diff --git a/test/test.js b/test/test.js
@@ -511,7 +511,7 @@ describe('serveStatic()', function () {
     it('should respond with default Content-Security-Policy', function (done) {
       request(server)
         .get('/users')
-        .expect('Content-Security-Policy', "default-src 'self'")
+        .expect('Content-Security-Policy', "default-src 'none'")
         .expect(301, done)
     })