From 6216fe2f1a1c496bcd3703f2f512b72cf7b6fddb Mon Sep 17 00:00:00 2001
From: Tankred Hase <tankred@whiteout.io>
Date: Thu, 23 Apr 2015 17:34:41 +0200
Subject: [PATCH] [WO-03-024] Fix links can be opened in the message frame in
 MSIE11 (High) Add X-Content-Security-Policy HTTP header for IE10+

---
 server.js | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/server.js b/server.js
index 04960a6..def7288 100644
--- a/server.js
+++ b/server.js
@@ -81,7 +81,9 @@ app.use(function(req, res, next) {
     res.set('Strict-Transport-Security', 'max-age=16070400; includeSubDomains');
     // CSP
     var iframe = development ? "http://" + req.hostname + ":" + config.server.port : "https://" + req.hostname; // allow iframe to load assets
-    res.set('Content-Security-Policy', "default-src 'self' " + iframe + "; object-src 'none'; connect-src *; style-src 'self' 'unsafe-inline' " + iframe + "; img-src *");
+    var csp = "default-src 'self' " + iframe + "; object-src 'none'; connect-src *; style-src 'self' 'unsafe-inline' " + iframe + "; img-src *";
+    res.set('Content-Security-Policy', csp);
+    res.set('X-Content-Security-Policy', csp);
     // set Cache-control Header (for AppCache)
     res.set('Cache-control', 'public, max-age=0');
     next();