From 9a7d3634d5efb5bddfc7065f971eae467370813f Mon Sep 17 00:00:00 2001 From: dheimerl <34488243+dheimerl@users.noreply.github.com> Date: Tue, 18 Dec 2018 10:19:35 -0600 Subject: [PATCH] Changed frame-ancestors to use 'self' --- src/api/web.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/api/web.rs b/src/api/web.rs index 31bfe3a0..bcf41bd7 100644 --- a/src/api/web.rs +++ b/src/api/web.rs @@ -56,7 +56,7 @@ impl<'r, R: Responder<'r>> Responder<'r> for WebHeaders { res.set_raw_header("X-Frame-Options", "SAMEORIGIN"); res.set_raw_header("X-Content-Type-Options", "nosniff"); res.set_raw_header("X-XSS-Protection", "1; mode=block"); - let csp = "frame-ancestors chrome-extension://nngceckbapebfimnlniiiahkandclblb moz-extension://* ".to_owned() + &CONFIG.domain + ";"; + let csp = "frame-ancestors 'self' chrome-extension://nngceckbapebfimnlniiiahkandclblb moz-extension://*;"; res.set_raw_header("Content-Security-Policy", csp); Ok(res)