From 524dae7a64cf016309e604944fe57bed22e8de61 Mon Sep 17 00:00:00 2001
From: "Michael J. Radwin" <michael@radwin.org>
Date: Mon, 18 Nov 2024 22:11:16 -0800
Subject: [PATCH] Use standard CSP for generated 404 pages

---
 src/app-www.js | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/app-www.js b/src/app-www.js
index 5741fba..366871b 100644
--- a/src/app-www.js
+++ b/src/app-www.js
@@ -234,7 +234,8 @@ app.use(async function strictContentSecurityPolicy(ctx, next) {
   const buf = randomBytes(6);
   const nonce = ctx.state.nonce = buf.toString('base64url');
   await next();
-  if (ctx.status === 200 && ctx.type === 'text/html') {
+  const status = ctx.status;
+  if ((status === 200 || status === 404) && ctx.type === 'text/html') {
     const csp = `script-src 'nonce-${nonce}' 'strict-dynamic' https: 'unsafe-inline';` +
       ` style-src 'self' https: data: 'unsafe-inline';` +
       ` frame-ancestors https: data:;` +