You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@couchdb.apache.org by ja...@apache.org on 2020/06/18 12:57:17 UTC

[couchdb] 01/01: fix: send CSP header to make Fauxotn work fully

This is an automated email from the ASF dual-hosted git repository.

jan pushed a commit to branch fix/csp
in repository https://gitbox.apache.org/repos/asf/couchdb.git

commit bafb9b952aec153fe3e930dc6bf50d2cda367f7c
Author: Jan Lehnardt <ja...@apache.org>
AuthorDate: Thu Jun 18 14:55:38 2020 +0200

    fix: send CSP header to make Fauxotn work fully
    
    Co-authored-by: Robert Newson <rn...@apache.org>
---
 src/chttpd/src/chttpd_misc.erl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/chttpd/src/chttpd_misc.erl b/src/chttpd/src/chttpd_misc.erl
index ffb5295..830fea3 100644
--- a/src/chttpd/src/chttpd_misc.erl
+++ b/src/chttpd/src/chttpd_misc.erl
@@ -105,7 +105,7 @@ handle_utils_dir_req(Req, _) ->
     send_method_not_allowed(Req, "GET,HEAD").
 
 maybe_add_csp_headers(Headers, "true") ->
-    DefaultValues = "default-src 'self'; img-src 'self' data:; font-src 'self'; "
+    DefaultValues = "child-src 'self' data: blob:; default-src 'self'; img-src 'self' data:; font-src 'self'; "
                     "script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline';",
     Value = config:get("csp", "header_value", DefaultValues),
     [{"Content-Security-Policy", Value} | Headers];