From cdf1159cc0227b1f85c4a52263cbd33bc4ed5242 Mon Sep 17 00:00:00 2001
From: Feross Aboukhadijeh <feross@feross.org>
Date: Tue, 27 Aug 2019 13:47:57 -0700
Subject: Set security headers on /favicon.ico responses

---
 lib/server.js | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

(limited to 'lib')

diff --git a/lib/server.js b/lib/server.js
index ef3ea4c..c8a5488 100644
--- a/lib/server.js
+++ b/lib/server.js
@@ -79,10 +79,6 @@ function Server (torrent, opts = {}) {
 
     const pathname = new URL(req.url, 'http://example.com').pathname
 
-    if (pathname === '/favicon.ico') {
-      return serve404Page()
-    }
-
     // Allow cross-origin requests (CORS)
     if (isOriginAllowed(req)) {
       res.setHeader('Access-Control-Allow-Origin', req.headers.origin)
@@ -94,6 +90,10 @@ function Server (torrent, opts = {}) {
     // Defense-in-depth: Set a strict Content Security Policy to mitigate XSS
     res.setHeader('Content-Security-Policy', "base-uri 'none'; default-src 'none'; frame-ancestors 'none'; object-src 'none';")
 
+    if (pathname === '/favicon.ico') {
+      return serve404Page()
+    }
+
     // Allow CORS requests to specify arbitrary headers, e.g. 'Range',
     // by responding to the OPTIONS preflight request with the specified
     // origin and requested headers.
-- 
cgit v1.2.3