Content Security Policy (#5790)

* Adding CSP headers. * Adding Content-Security-Policy headers. * Fixing test. * CSP in ws server responses.
2017-06-28 09:12:02 +02:00
parent 57626b60e7
commit c7a043b864
5 changed files with 52 additions and 7 deletions
--- a/rpc/src/v1/extractors.rs
+++ b/rpc/src/v1/extractors.rs
@@ -140,6 +140,9 @@ fn add_security_headers(res: &mut ws::ws::Response) {
 	headers.push(("X-Frame-Options".into(), b"SAMEORIGIN".to_vec()));
 	headers.push(("X-XSS-Protection".into(), b"1; mode=block".to_vec()));
 	headers.push(("X-Content-Type-Options".into(), b"nosniff".to_vec()));
+	headers.push(("Content-Security-Policy".into(),
+		b"default-src 'self';form-action 'none';block-all-mixed-content;sandbox allow-scripts;".to_vec()
+	));
 }

 fn auth_token_hash(codes_path: &Path, protocol: &str, save_file: bool) -> Option<H256> {