From 321d7182ae436dfea1a81a7f6e1444bded42fcf8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20Guillot?= Date: Mon, 4 Dec 2017 20:46:49 -0800 Subject: [PATCH] Add child-src CSP directive --- server/core/response.go | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/server/core/response.go b/server/core/response.go index fc15e420..70050a19 100644 --- a/server/core/response.go +++ b/server/core/response.go @@ -69,7 +69,10 @@ func (r *Response) commonHeaders() { r.writer.Header().Set("X-XSS-Protection", "1; mode=block") r.writer.Header().Set("X-Content-Type-Options", "nosniff") r.writer.Header().Set("X-Frame-Options", "DENY") - r.writer.Header().Set("Content-Security-Policy", "default-src 'self'; img-src *; media-src *; frame-src *") + + // Even if the directive "frame-src" has been deprecated in Firefox, + // we keep it to stay compatible with other browsers. + r.writer.Header().Set("Content-Security-Policy", "default-src 'self'; img-src *; media-src *; frame-src *; child-src *") } // NewResponse returns a new Response.