From 9849acd49e79e31baab7c0462212af4ff32c2d40 Mon Sep 17 00:00:00 2001
From: Michael Q Larson <michaelqlarson@gmail.com>
Date: Mon, 22 Dec 2014 12:36:45 -0800
Subject: [PATCH] fixed helmet related errors

---
 app.js | 25 +++++++++++++++++++------
 1 file changed, 19 insertions(+), 6 deletions(-)

diff --git a/app.js b/app.js
index ec7e638054..1d9e9b0274 100644
--- a/app.js
+++ b/app.js
@@ -92,14 +92,27 @@ app.use(flash());
 app.disable('x-powered-by');
 app.use(helmet.xssFilter());
 app.use(helmet.xframe());
+var trusted = [
+    "'self'",
+    '*.freecodecamp.com',
+    "*.google-analytics.com",
+    "*.googleapis.com",
+    "*.gstatic.com",
+    "*.doubleclick.net",
+    "*.twitter.com",
+    '*.twimg.com',
+    "*.githubusercontent.com",
+    "'unsafe-eval'",
+    "'unsafe-inline'"
+];
 app.use(helmet.contentSecurityPolicy({
-    defaultSrc: ["'self'", 'freecodecamp.com'],
-    scriptSrc: ['*.google-analytics.com', '*.optimizely.com', '*.googleapis.com', '*.twitter.com'],
-    styleSrc: ["'self'", '*.twitter.com'],
-    imgSrc: ["'self'", '*.amazonaws.com', '*.twitter.com', '*.twimg.com'],
-    fontSrc: ["'self", '*.googleapis.com', '*.twitter.com'],
+    defaultSrc: trusted,
+    scriptSrc: ['*.optimizely.com'].concat(trusted),
+    styleSrc: trusted,
+    imgSrc: ['*.evernote.com', '*.amazonaws.com', "data:"].concat(trusted),
+    fontSrc: ["'self", '*.googleapis.com'].concat(trusted),
     mediaSrc: ['*.amazonaws.com', '*.twitter'],
-    frameSrc: ['*.gitter.im', '*.vimeo.com'],
+    frameSrc: ['*.gitter.im', '*.vimeo.com', '*.twitter.com'],
 //    sandbox: ['allow-forms', 'allow-scripts'],
 //    reportUri: '/report-violation',
     reportOnly: false, // set to true if you only want to report errors