From 91517d91c3f1c6f419b516f5be9d4ac53a666924 Mon Sep 17 00:00:00 2001
From: Jesse Chan <jc@linux.com>
Date: Thu, 27 Aug 2020 20:08:29 +0800
Subject: [PATCH] server: prohibit Cross-Origin Resource Sharing

Flood instances should not be accessible to other sites.

This change prevents malicious sites from using resources of
a Flood instance and hijacking the browser to submit malicious
requests to Flood.
---
 server/middleware/eventStream.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/server/middleware/eventStream.js b/server/middleware/eventStream.js
index 0e4dbe39..b2463b13 100644
--- a/server/middleware/eventStream.js
+++ b/server/middleware/eventStream.js
@@ -6,7 +6,7 @@ module.exports = (req, res, next) => {
     'Content-Type': 'text/event-stream',
     'Cache-Control': 'no-cache',
     Connection: 'keep-alive',
-    'Access-Control-Allow-Origin': '*',
+    'Cross-Origin-Resource-Policy': 'same-origin',
     'X-Accel-Buffering': 'no',
   });
   res.status(200);