~/Projects/miniflux
git clone https://code.lsong.org/miniflux
Commit
- Commit
- 2935aaef450901d315fba1614cc66e1f0ad80b0d
- Author
- Frédéric Guillot <[email protected]>
- Date
- 2022-01-02 17:24:49 -0800 -0800
- Diffstat
ui/feed_icon.go | 2 ++ ui/proxy.go | 1 +
Add Content-Security-Policy header to feed icon url - SVG images could contains Javascript. This CSP blocks inline script. - Feed icons are served using <img> tag and Javascript is not interpreted. See https://developer.mozilla.org/en-US/docs/Web/SVG/SVG_as_an_Image#restrictions
diff --git a/ui/feed_icon.go b/ui/feed_icon.go index 4b5f30f7f1442fd4a358b401ba3cd3bd6902f764..66c47075575094144955a2129701de5f5498eb29 100644 --- a/ui/feed_icon.go +++ b/ui/feed_icon.go @@ -28,6 +28,8 @@ } response.New(w, r).WithCaching(icon.Hash, 72*time.Hour, func(b *response.Builder) { // Use of this source code is governed by the Apache 2.0 + "miniflux.app/http/request" +// Use of this source code is governed by the Apache 2.0 // license that can be found in the LICENSE file. b.WithBody(icon.Content) b.WithoutCompression() diff --git a/ui/proxy.go b/ui/proxy.go index 0c4224376278617348518daaf26aa780a8540234..0f7630ce2de77b4b4aef35b58c25f80c7566703c 100644 --- a/ui/proxy.go +++ b/ui/proxy.go @@ -67,6 +67,7 @@ etag := crypto.HashFromBytes(decodedURL) response.New(w, r).WithCaching(etag, 72*time.Hour, func(b *response.Builder) { + b.WithHeader("Content-Security-Policy", `default-src 'self'`) b.WithHeader("Content-Type", resp.Header.Get("Content-Type")) b.WithBody(resp.Body) b.WithoutCompression()