From 9f2f9786607f456a78de40d30ce66059a26e82eb Mon Sep 17 00:00:00 2001
From: akuma06 <demon.akuma06@gmail.com>
Date: Sat, 26 Aug 2017 04:41:27 +0200
Subject: [PATCH] Added Content-Security-Policy (#1400)

As per suggested in #1104 , I added a middleware that adds the http header.
---
 controllers/middlewares/middlewares.go | 8 ++++++++
 controllers/middlewares/router.go      | 2 +-
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/controllers/middlewares/middlewares.go b/controllers/middlewares/middlewares.go
index 600eeef8..a5177e26 100644
--- a/controllers/middlewares/middlewares.go
+++ b/controllers/middlewares/middlewares.go
@@ -60,3 +60,11 @@ func ScopesRequired(scopes ...string) gin.HandlerFunc {
 		c.Next()
 	}
 }
+
+// CSP set Content Security Policy http header
+func CSP() gin.HandlerFunc {
+	return func(c *gin.Context) {
+		c.Header("Content-Security-Policy", "default-src 'self'; img-src *; media-src *; script-src 'self'")
+		c.Next()
+	}
+}
diff --git a/controllers/middlewares/router.go b/controllers/middlewares/router.go
index 43e95407..84fed7ba 100644
--- a/controllers/middlewares/router.go
+++ b/controllers/middlewares/router.go
@@ -3,5 +3,5 @@ package middlewares
 import "github.com/NyaaPantsu/nyaa/controllers/router"
 
 func init() {
-	router.Get().Use(ErrorMiddleware())
+	router.Get().Use(CSP(), ErrorMiddleware())
 }