From d867ca8477423b3ebcfbd46ea738255d726870d7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ken-H=C3=A5vard=20Lieng?= <kk_998@hotmail.com>
Date: Wed, 14 Nov 2018 08:34:35 +0100
Subject: [PATCH] Add worker-src csp directive

---
 server/serve_files.go | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/server/serve_files.go b/server/serve_files.go
index 7f31cca0..0b51b89b 100644
--- a/server/serve_files.go
+++ b/server/serve_files.go
@@ -289,7 +289,18 @@ func (d *Dispatch) serveIndex(w http.ResponseWriter, r *http.Request) {
 			inlineSha = inlineScriptSWSha256
 		}
 
-		w.Header().Set("Content-Security-Policy", "default-src 'none'; script-src 'self' 'sha256-"+inlineSha+"'; style-src 'self' 'unsafe-inline'; font-src 'self'; img-src 'self'; manifest-src 'self'; connect-src 'self' "+wsSrc)
+		csp := []string{
+			"default-src 'none'",
+			"script-src 'self' 'sha256-" + inlineSha + "'",
+			"style-src 'self' 'unsafe-inline'",
+			"font-src 'self'",
+			"img-src 'self'",
+			"manifest-src 'self'",
+			"connect-src 'self' " + wsSrc,
+			"worker-src 'self'",
+		}
+
+		w.Header().Set("Content-Security-Policy", strings.Join(csp, "; "))
 	}
 
 	w.Header().Set("Content-Type", "text/html")