From f89e46f7817d5c738ea4135549095e4c01fddde5 Mon Sep 17 00:00:00 2001
From: Wei Lu <luwei.here@gmail.com>
Date: Wed, 16 Sep 2015 08:56:19 +0800
Subject: [PATCH] add child-src as a default src for CSP

---
 server/express.js | 1 +
 1 file changed, 1 insertion(+)

diff --git a/server/express.js b/server/express.js
index 7802868b..3391f704 100644
--- a/server/express.js
+++ b/server/express.js
@@ -26,6 +26,7 @@ module.exports = function (){
     }
     app.use(helmet.csp({
       'default-src': ["'self'"],
+      'child-src': ["'self'", "blob:"],
       'connect-src': [
         "'self'", "blob:",
         'api.bitcoinaverage.com', 'chain.so', // tickers