Broken when content securiy policy headers are applied

[jantimon]

For security reasons we are disallowing inline styles and scripts.
http://www.html5rocks.com/en/tutorials/security/content-security-policy/

As we are using the same security settings in our development environments we are running into issues when using serve-index as it relies heavily on inline styles, scripts.

Any ideas how we could handle this?

[dougwilson]

This module does all inline by default, otherwise it would have to reserve URLs in every directory that you couldn't use. This would be awful. If you don't want inline styles, you just need to override the HTML page generation:

var serveIndex = require('serveIndex')
serveIndex.html = function(req, res, files, next, dir){
  // generate your index page here that
  // references your own external stylesheets
  // and the like
}

[jantimon]

Okay I already expected that security is not an issue for a module which exposes the file structure.
However I don't understand why this would reserve URLs.

A possible solution would be to split the request into three requests:

just/a/example/path/ -> responds with directory.html
just/a/example/path/?styles -> responds with the styles
just/a/example/path/?scripts -> responds with the scripts

[dougwilson]

A possible solution would be to split the request into three requests

OK. Can you send a PR that does this, please?

[dougwilson]

In the meantime I'll keep this issue open.

[jantimon]

Okay will look into it