Set default CSP header in redirect response

Author: dougwilson

HISTORY.md

@@ -1,3 +1,8 @@
+unreleased
+==========
+
+  * Set default CSP header in redirect response
+
 1.11.2 / 2017-01-23
 ===================
 

index.js

@@ -181,6 +181,7 @@ function createRedirectDirectoryListener () {
     res.statusCode = 301
     res.setHeader('Content-Type', 'text/html; charset=UTF-8')
     res.setHeader('Content-Length', Buffer.byteLength(msg))
+    res.setHeader('Content-Security-Policy', "default-src 'self'")
     res.setHeader('X-Content-Type-Options', 'nosniff')
     res.setHeader('Location', loc)
     res.end(msg)

test/test.js

@@ -476,6 +476,13 @@ describe('serveStatic()', function () {
       .expect(301, 'Redirecting to <a href="/snow%20%E2%98%83/">/snow%20%E2%98%83/</a>\n', done)
     })
 
+    it('should respond with default Content-Security-Policy', function (done) {
+      request(server)
+      .get('/users')
+      .expect('Content-Security-Policy', "default-src 'self'")
+      .expect(301, done)
+    })
+
     it('should not redirect incorrectly', function (done) {
       request(server)
       .get('/')