Fix CSP for subdomains

This commit is contained in:
Omar Roth 2019-05-10 15:29:10 -05:00
parent fd8af88493
commit ddfd20d997
No known key found for this signature in database
GPG key ID: B8254FB7EC3D37F2

View file

@ -187,9 +187,10 @@ end
proxies = PROXY_LIST proxies = PROXY_LIST
before_all do |env| before_all do |env|
host_url = make_host_url(config, Kemal.config)
env.response.headers["X-XSS-Protection"] = "1; mode=block;" env.response.headers["X-XSS-Protection"] = "1; mode=block;"
env.response.headers["X-Content-Type-Options"] = "nosniff" env.response.headers["X-Content-Type-Options"] = "nosniff"
env.response.headers["Content-Security-Policy"] = "default-src blob: data: 'self' 'unsafe-inline' 'unsafe-eval'; media-src blob: 'self' https://*.googlevideo.com:443" env.response.headers["Content-Security-Policy"] = "default-src blob: data: 'self' #{host_url} 'unsafe-inline' 'unsafe-eval'; media-src blob: 'self' #{host_url} https://*.googlevideo.com:443"
env.response.headers["Referrer-Policy"] = "same-origin" env.response.headers["Referrer-Policy"] = "same-origin"
if Kemal.config.ssl || config.https_only if Kemal.config.ssl || config.https_only