Allow CSP child-src blob from self to fix Dashboard in Safari

Nike-Inc · Jun 5, 2018 · bc3a3f2 · bc3a3f2
1 parent 959d2a2
commit bc3a3f2
Showing 1 changed file with 8 additions and 1 deletion.
diff --git a/src/main/java/com/nike/cerberus/security/SecurityHttpHeaders.java b/src/main/java/com/nike/cerberus/security/SecurityHttpHeaders.java
@@ -48,7 +48,14 @@ public class SecurityHttpHeaders extends DefaultHttpHeaders {
      * https://en.wikipedia.org/wiki/Content_Security_Policy
      */
     private static final String CONTENT_SECURITY_POLICY_HEADER_NAME = "Content-Security-Policy";
-    private static final String CONTENT_SECURITY_POLICY_HEADER_VALUE = "default-src 'none'; connect-src 'self'; font-src https://web.nike.com; img-src 'self'; script-src 'self'; style-src 'unsafe-inline' https://web.nike.com/; worker-src 'self' blob:; frame-ancestors 'none';";
+    private static final String CONTENT_SECURITY_POLICY_HEADER_VALUE = "default-src 'none';" +
+            " connect-src 'self';" +
+            " font-src https://web.nike.com;" +
+            " img-src 'self';" +
+            " script-src 'self';" +
+            " style-src 'unsafe-inline' https://web.nike.com/;" +
+            " worker-src 'self' blob:; frame-ancestors 'none';" +
+            " child-src 'self' blob:;";
 
     /**
      * Referrer Policy header can restrict referrer information sent by browser