Skip to content
This repository has been archived by the owner on Jan 12, 2024. It is now read-only.

Commit

Permalink
Merge pull request #165 from Nike-Inc/fix-dashboard-in-safari
Browse files Browse the repository at this point in the history
Allow CSP child-src blob from 'self' to fix Dashboard in Safari
  • Loading branch information
sdford authored Jun 5, 2018
2 parents 959d2a2 + e2c6e0f commit fb7646d
Show file tree
Hide file tree
Showing 2 changed files with 9 additions and 2 deletions.
2 changes: 1 addition & 1 deletion gradle.properties
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,6 @@
# limitations under the License.
#

version=3.16.1
version=3.16.2
groupId=com.nike.cerberus
artifactId=cms
Original file line number Diff line number Diff line change
Expand Up @@ -48,7 +48,14 @@ public class SecurityHttpHeaders extends DefaultHttpHeaders {
* https://en.wikipedia.org/wiki/Content_Security_Policy
*/
private static final String CONTENT_SECURITY_POLICY_HEADER_NAME = "Content-Security-Policy";
private static final String CONTENT_SECURITY_POLICY_HEADER_VALUE = "default-src 'none'; connect-src 'self'; font-src https://web.nike.com; img-src 'self'; script-src 'self'; style-src 'unsafe-inline' https://web.nike.com/; worker-src 'self' blob:; frame-ancestors 'none';";
private static final String CONTENT_SECURITY_POLICY_HEADER_VALUE = "default-src 'none';" +
" connect-src 'self';" +
" font-src https://web.nike.com;" +
" img-src 'self';" +
" script-src 'self';" +
" style-src 'unsafe-inline' https://web.nike.com/;" +
" worker-src 'self' blob:; frame-ancestors 'none';" +
" child-src 'self' blob:;";

/**
* Referrer Policy header can restrict referrer information sent by browser
Expand Down

0 comments on commit fb7646d

Please sign in to comment.