diff options
Diffstat (limited to 'lib')
-rw-r--r-- | lib/server.js | 8 |
1 files changed, 4 insertions, 4 deletions
diff --git a/lib/server.js b/lib/server.js index ef3ea4c..c8a5488 100644 --- a/lib/server.js +++ b/lib/server.js @@ -79,10 +79,6 @@ function Server (torrent, opts = {}) { const pathname = new URL(req.url, 'http://example.com').pathname - if (pathname === '/favicon.ico') { - return serve404Page() - } - // Allow cross-origin requests (CORS) if (isOriginAllowed(req)) { res.setHeader('Access-Control-Allow-Origin', req.headers.origin) @@ -94,6 +90,10 @@ function Server (torrent, opts = {}) { // Defense-in-depth: Set a strict Content Security Policy to mitigate XSS res.setHeader('Content-Security-Policy', "base-uri 'none'; default-src 'none'; frame-ancestors 'none'; object-src 'none';") + if (pathname === '/favicon.ico') { + return serve404Page() + } + // Allow CORS requests to specify arbitrary headers, e.g. 'Range', // by responding to the OPTIONS preflight request with the specified // origin and requested headers. |