IntenseWebs/mattermost
3
0
Fork 0
mirror of https://github.com/mattermost/mattermost.git synced 2025-02-25 18:55:24 -06:00
Code Issues Packages Projects Releases Wiki Activity

Updating content security policy. (#9906)

Browse Source
This commit is contained in:
Christopher Speller
2018-12-03 09:59:30 -08:00
committed by Daniel Schalla
parent bf19debdfd
commit 2770d4db64
1 changed files with 2 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
web/handlers.go
View File

@@ -84,7 +84,8 @@ func (h Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
if h.IsStatic {
// Instruct the browser not to display us in an iframe unless is the same origin for anti-clickjacking
w.Header().Set("X-Frame-Options", "SAMEORIGIN")
w.Header().Set("Content-Security-Policy", "frame-ancestors 'self'")
// Set content security policy. This is also specified in the root.html of the webapp in a meta tag.
w.Header().Set("Content-Security-Policy", "frame-ancestors 'self'; script-src 'self' cdn.segment.com/analytics.js/")
} else {
// All api response bodies will be JSON formatted by default
w.Header().Set("Content-Type", "application/json")