From e21ffada37716228c9da242bea6393c7e08c45de Mon Sep 17 00:00:00 2001
From: ljeda <Lukasz.Jeda@pl.ibm.com>
Date: Wed, 18 Dec 2024 00:21:25 +0100
Subject: [PATCH] Set even more strict CSP header in redirect response

---
 index.js     | 2 +-
 test/test.js | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/index.js b/index.js
index 1bee463..099f6cb 100644
--- a/index.js
+++ b/index.js
@@ -200,7 +200,7 @@ function createRedirectDirectoryListener () {
     res.statusCode = 301
     res.setHeader('Content-Type', 'text/html; charset=UTF-8')
     res.setHeader('Content-Length', Buffer.byteLength(doc))
-    res.setHeader('Content-Security-Policy', "default-src 'none'")
+    res.setHeader('Content-Security-Policy', "default-src 'none'; frame-ancestors 'none'; form-action 'none'")
     res.setHeader('X-Content-Type-Options', 'nosniff')
     res.setHeader('Location', loc)
     res.end(doc)
diff --git a/test/test.js b/test/test.js
index 6984bcd..4ab354d 100644
--- a/test/test.js
+++ b/test/test.js
@@ -511,7 +511,7 @@ describe('serveStatic()', function () {
     it('should respond with default Content-Security-Policy', function (done) {
       request(server)
         .get('/users')
-        .expect('Content-Security-Policy', "default-src 'none'")
+        .expect('Content-Security-Policy', "default-src 'none'; frame-ancestors 'none'; form-action 'none'")
         .expect(301, done)
     })