Use standard CSP for generated 404 pages

hebcal · Nov 19, 2024 · 524dae7 · 524dae7
1 parent 107308c
commit 524dae7
Showing 1 changed file with 2 additions and 1 deletion.
diff --git a/src/app-www.js b/src/app-www.js
@@ -234,7 +234,8 @@ app.use(async function strictContentSecurityPolicy(ctx, next) {
   const buf = randomBytes(6);
   const nonce = ctx.state.nonce = buf.toString('base64url');
   await next();
-  if (ctx.status === 200 && ctx.type === 'text/html') {
+  const status = ctx.status;
+  if ((status === 200 || status === 404) && ctx.type === 'text/html') {
     const csp = `script-src 'nonce-${nonce}' 'strict-dynamic' https: 'unsafe-inline';` +
       ` style-src 'self' https: data: 'unsafe-inline';` +
       ` frame-ancestors https: data:;` +