#304 Include CSP header support to more browsers

2 files changed, 10 insertions, 2 deletions

diff --git a/service/pixelated/config/site.py b/service/pixelated/config/site.py
index c6e55102..bd149914 100644
--- a/service/pixelated/config/site.py
+++ b/service/pixelated/config/site.py
@@ -2,8 +2,12 @@ from twisted.web.server import Site, Request
 
 
 class AddCSPHeaderRequest(Request):
+    HEADER_VALUES = "default-src 'self'; style-src 'self' 'unsafe-inline'"
+
     def process(self):
-        self.setHeader("Content-Security-Policy", "default-src 'self'; style-src 'self' 'unsafe-inline'")
+        self.setHeader("Content-Security-Policy", self.HEADER_VALUES)
+        self.setHeader("X-Content-Security-Policy", self.HEADER_VALUES)
+        self.setHeader("X-Webkit-CSP", self.HEADER_VALUES)
         Request.process(self)
 
 
diff --git a/service/test/unit/config/test_site.py b/service/test/unit/config/test_site.py
index 77d42ed8..1858bfaf 100644
--- a/service/test/unit/config/test_site.py
+++ b/service/test/unit/config/test_site.py
@@ -9,7 +9,11 @@ class TestPixelatedSite(unittest.TestCase):
         request = self.create_request()
         request.process()
         headers = request.headers
-        self.assertEqual(headers.get("Content-Security-Policy"), "default-src 'self'; style-src 'self' 'unsafe-inline'")
+
+        header_value = "default-src 'self'; style-src 'self' 'unsafe-inline'"
+        self.assertEqual(headers.get("Content-Security-Policy"), header_value)
+        self.assertEqual(headers.get("X-Content-Security-Policy"), header_value)
+        self.assertEqual(headers.get("X-Webkit-CSP"), header_value)
 
     def create_request(self):
         channel = LineReceiver()