Merge pull request #811 from LiskHQ/808-content-security-policy-issue

Content security policy issue - Closes #808
LiskArchive · Sep 7, 2018 · 1923467 · 1923467
2 parents 0b17bea + cfff5ec
commit 1923467
Showing 1 changed file with 12 additions and 7 deletions.
diff --git a/app.js b/app.js
@@ -64,16 +64,21 @@ app.use((req, res, next) => {
 	res.setHeader('X-Frame-Options', 'DENY');
 	res.setHeader('X-Content-Type-Options', 'nosniff');
 	res.setHeader('X-XSS-Protection', '1; mode=block');
-	const wsSrc = `ws://${req.get('host')} wss://${req.get('host')}`;
+
 	/* eslint-disable */
-	res.setHeader('Content-Security-Policy',
-		[`frame-ancestors 'none'; default-src 'self';`,
-		`connect-src 'self' ${wsSrc};`,
-		`img-src 'self' https://*.tile.openstreetmap.org www.google-analytics.com stats.g.doubleclick.net;`,
+	const connectSrc = `ws://${req.get('host')} wss://${req.get('host')}`;
+	const contentSecurityPolicy = [
+		`default-src 'self';`,
+		`frame-ancestors 'none';`,
+		`connect-src 'self' ${connectSrc};`,
+		`img-src 'self' https:;`,
 		`style-src 'self' 'unsafe-inline' https://fonts.googleapis.com;`,
-		`script-src 'self' 'unsafe-inline' 'unsafe-eval' www.googletagmanager.com www.google-analytics.com;`,
-		`font-src 'self' https://fonts.gstatic.com`].join(' '));
+		`script-src 'self' 'sha256-L6JyfNh6FtKC6umsFxtawnD4dtWi8szFRQZU0tVgsQk=' 'unsafe-eval' www.googletagmanager.com www.google-analytics.com;`,
+		`font-src 'self' https://fonts.gstatic.com`,
+	].join(' ');
 	/* eslint-enable */
+
+	res.setHeader('Content-Security-Policy', contentSecurityPolicy);
 	return next();
 });