Set default CSP header in redirect & error responses

dougwilson · dougwilson · commit 04474f5300be · 2017-02-19T00:53:34.000-05:00
diff --git a/HISTORY.md b/HISTORY.md
@@ -2,6 +2,7 @@ unreleased
 ==========
 
   * Send complete HTML document in redirect & error responses
+  * Set default CSP header in redirect & error responses
 
 0.14.2 / 2017-01-23
 ===================
diff --git a/index.js b/index.js
@@ -293,6 +293,7 @@ SendStream.prototype.error = function error (status, error) {
   res.statusCode = status
   res.setHeader('Content-Type', 'text/html; charset=UTF-8')
   res.setHeader('Content-Length', Buffer.byteLength(doc))
+  res.setHeader('Content-Security-Policy', "default-src 'self'")
   res.setHeader('X-Content-Type-Options', 'nosniff')
   res.end(doc)
 }
@@ -455,6 +456,7 @@ SendStream.prototype.redirect = function redirect (path) {
   res.statusCode = 301
   res.setHeader('Content-Type', 'text/html; charset=UTF-8')
   res.setHeader('Content-Length', Buffer.byteLength(doc))
+  res.setHeader('Content-Security-Policy', "default-src 'self'")
   res.setHeader('X-Content-Type-Options', 'nosniff')
   res.setHeader('Location', loc)
   res.end(doc)
diff --git a/test/send.js b/test/send.js
@@ -342,6 +342,14 @@ describe('send(file).pipe(res)', function () {
       .expect(301, />Redirecting to <a href="\/pets\/">\/pets\/<\/a></, done)
     })
 
+    it('should respond with default Content-Security-Policy', function (done) {
+      request(createServer({root: fixtures}))
+      .get('/pets')
+      .expect('Location', '/pets/')
+      .expect('Content-Security-Policy', "default-src 'self'")
+      .expect(301, done)
+    })
+
     it('should not redirect to protocol-relative locations', function (done) {
       request(createServer({root: fixtures}))
       .get('//pets')
@@ -369,6 +377,13 @@ describe('send(file).pipe(res)', function () {
       .get('/foobar')
       .expect(404, />Not Found</, done)
     })
+
+    it('should respond with default Content-Security-Policy', function (done) {
+      request(createServer({root: fixtures}))
+      .get('/foobar')
+      .expect('Content-Security-Policy', "default-src 'self'")
+      .expect(404, done)
+    })
   })
 
   describe('with conditional-GET', function () {
