Set correct mime type in jailed. Set correct types on script imports in bonfire/show. Open helmet up to potentially unsafe levels by allowing "* unsafe-inline" in scriptSrc.

2015-05-06 14:06:10 -04:00
parent 68420149b0
commit 72339f9183
4 changed files with 28 additions and 18 deletions
--- a/app.js
+++ b/app.js
@@ -115,6 +115,7 @@ app.disable('x-powered-by');
 app.use(helmet.xssFilter());
 app.use(helmet.noSniff());
 app.use(helmet.xframe());
+/*
 app.use(function(req, res, next) {
    res.header('Access-Control-Allow-Origin', '*');
    res.header('Access-Control-Allow-Headers',
@@ -122,6 +123,7 @@ app.use(function(req, res, next) {
              );
    next();
 });
+*/

 var trusted = [
  "'self'",
@@ -167,7 +169,8 @@ app.use(helmet.contentSecurityPolicy({
    scriptSrc: [
        '*.optimizely.com',
        '*.aspnetcdn.com',
-        '*.d3js.org'
+        '*.d3js.org',
+        "* 'unsafe-inline'"
    ].concat(trusted),
    'connect-src': [
        'ws://*.rafflecopter.com',