diff options
author | Feross Aboukhadijeh <feross@feross.org> | 2019-08-27 23:47:57 +0300 |
---|---|---|
committer | Feross Aboukhadijeh <feross@feross.org> | 2019-08-27 23:47:57 +0300 |
commit | cdf1159cc0227b1f85c4a52263cbd33bc4ed5242 (patch) | |
tree | 3fa09085ec78900c5e60a7d2903d6e42c8774760 /lib | |
parent | 22546df6d9ba9ca4523142d98b5e70f6db213f3e (diff) |
Set security headers on /favicon.ico responses
Diffstat (limited to 'lib')
-rw-r--r-- | lib/server.js | 8 |
1 files changed, 4 insertions, 4 deletions
diff --git a/lib/server.js b/lib/server.js index ef3ea4c..c8a5488 100644 --- a/lib/server.js +++ b/lib/server.js @@ -79,10 +79,6 @@ function Server (torrent, opts = {}) { const pathname = new URL(req.url, 'http://example.com').pathname - if (pathname === '/favicon.ico') { - return serve404Page() - } - // Allow cross-origin requests (CORS) if (isOriginAllowed(req)) { res.setHeader('Access-Control-Allow-Origin', req.headers.origin) @@ -94,6 +90,10 @@ function Server (torrent, opts = {}) { // Defense-in-depth: Set a strict Content Security Policy to mitigate XSS res.setHeader('Content-Security-Policy', "base-uri 'none'; default-src 'none'; frame-ancestors 'none'; object-src 'none';") + if (pathname === '/favicon.ico') { + return serve404Page() + } + // Allow CORS requests to specify arbitrary headers, e.g. 'Range', // by responding to the OPTIONS preflight request with the specified // origin and requested headers. |