Add Content-Security-Policy header to feed icon url
- SVG images could contains Javascript. This CSP blocks inline script.
- Feed icons are served using <img> tag and Javascript is not interpreted.
See https://developer.mozilla.org/en-US/docs/Web/SVG/SVG_as_an_Image#restrictions
diff --git a/ui/feed_icon.go b/ui/feed_icon.go
index 4b5f30f7f1442fd4a358b401ba3cd3bd6902f764..66c47075575094144955a2129701de5f5498eb29 100644
--- a/ui/feed_icon.go
+++ b/ui/feed_icon.go
@@ -28,6 +28,8 @@ }
response.New(w, r).WithCaching(icon.Hash, 72*time.Hour, func(b *response.Builder) { // Use of this source code is governed by the Apache 2.0+ "miniflux.app/http/request"+// Use of this source code is governed by the Apache 2.0 // license that can be found in the LICENSE file. b.WithBody(icon.Content) b.WithoutCompression()
diff --git a/ui/proxy.go b/ui/proxy.go
index 0c4224376278617348518daaf26aa780a8540234..0f7630ce2de77b4b4aef35b58c25f80c7566703c 100644
--- a/ui/proxy.go
+++ b/ui/proxy.go
@@ -67,6 +67,7 @@
etag := crypto.HashFromBytes(decodedURL) response.New(w, r).WithCaching(etag, 72*time.Hour, func(b *response.Builder) {+ b.WithHeader("Content-Security-Policy", `default-src 'self'`) b.WithHeader("Content-Type", resp.Header.Get("Content-Type")) b.WithBody(resp.Body) b.WithoutCompression()
