Browse Source

use Content-Security-Policy to prevent javascript: injection in URLs.

unfortunately we still require 'unsafe-eval' due to jquery.getScript
miguelfreitas
Miguel Freitas 10 years ago
parent
commit
e7a1bf77fa
  1. 1
      src/bitcoinrpc.cpp

1
src/bitcoinrpc.cpp

@ -377,6 +377,7 @@ static string HTTPReply(int nStatus, const string& strMsg, bool keepalive, const
"Connection: %s\r\n" "Connection: %s\r\n"
"Content-Length: %"PRIszu"\r\n" "Content-Length: %"PRIszu"\r\n"
"Content-Type: %s\r\n" "Content-Type: %s\r\n"
"Content-Security-Policy: script-src 'self' 'unsafe-eval'\r\n"
"Server: bitcoin-json-rpc/%s\r\n" "Server: bitcoin-json-rpc/%s\r\n"
"\r\n", "\r\n",
nStatus, nStatus,

Loading…
Cancel
Save