From e7a1bf77fae17370b5eca7fa80afc3a054e7eb34 Mon Sep 17 00:00:00 2001
From: Miguel Freitas <miguelfreitas@users.noreply.github.com>
Date: Fri, 17 Jul 2015 17:27:09 -0300
Subject: [PATCH] use Content-Security-Policy to prevent javascript: injection
 in URLs. unfortunately we still require 'unsafe-eval' due to jquery.getScript

---
 src/bitcoinrpc.cpp | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/bitcoinrpc.cpp b/src/bitcoinrpc.cpp
index e51ebe26..4cc8f4de 100644
--- a/src/bitcoinrpc.cpp
+++ b/src/bitcoinrpc.cpp
@@ -377,6 +377,7 @@ static string HTTPReply(int nStatus, const string& strMsg, bool keepalive, const
             "Connection: %s\r\n"
             "Content-Length: %"PRIszu"\r\n"
             "Content-Type: %s\r\n"
+            "Content-Security-Policy: script-src 'self' 'unsafe-eval'\r\n"
             "Server: bitcoin-json-rpc/%s\r\n"
             "\r\n",
         nStatus,