Skip to content

Commit 767d7ba

Browse files
Sumit-Mayaniwrteam-sumit
authored andcommitted
fix: add form-action and frame-ancestors to CSP header in redirects
default-src does not cover form-action or frame-ancestors directives per CSP spec, so omitting them allows unrestricted behavior for those vectors. Closes #187 Assisted-by AI: Claude (Anthropic)
1 parent 74be78a commit 767d7ba

2 files changed

Lines changed: 2 additions & 2 deletions

File tree

index.js

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -200,7 +200,7 @@ function createRedirectDirectoryListener () {
200200
res.statusCode = 301
201201
res.setHeader('Content-Type', 'text/html; charset=UTF-8')
202202
res.setHeader('Content-Length', Buffer.byteLength(doc))
203-
res.setHeader('Content-Security-Policy', "default-src 'none'")
203+
res.setHeader('Content-Security-Policy', "default-src 'none'; form-action 'none'; frame-ancestors 'none'")
204204
res.setHeader('X-Content-Type-Options', 'nosniff')
205205
res.setHeader('Location', loc)
206206
res.end(doc)

test/test.js

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -510,7 +510,7 @@ describe('serveStatic()', function () {
510510
it('should respond with default Content-Security-Policy', function (done) {
511511
request(server)
512512
.get('/users')
513-
.expect('Content-Security-Policy', "default-src 'none'")
513+
.expect('Content-Security-Policy', "default-src 'none'; form-action 'none'; frame-ancestors 'none'")
514514
.expect(301, done)
515515
})
516516

0 commit comments

Comments
 (0)