forks/miniflux
1
0
Fork 0
Code Releases Activity

Add Content-Security-Policy header to feed icon url

Browse source 
- SVG images could contains Javascript. This CSP blocks inline script.
- Feed icons are served using <img> tag and Javascript is not interpreted.

See https://developer.mozilla.org/en-US/docs/Web/SVG/SVG_as_an_Image#restrictions
This commit is contained in:
Frédéric Guillot 2022-01-02 17:24:49 -08:00
parent 33fd0a617e
commit 2935aaef45
2 changed files with 2 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
ui/feed_icon.go
View file

@ -27,6 +27,7 @@ func (h *handler) showIcon(w http.ResponseWriter, r *http.Request) {
}
response.New(w, r).WithCaching(icon.Hash, 72*time.Hour, func(b *response.Builder) {
b.WithHeader("Content-Security-Policy", `default-src 'self'`)
b.WithHeader("Content-Type", icon.MimeType)
b.WithBody(icon.Content)
b.WithoutCompression()

1
ui/proxy.go
View file

@ -67,6 +67,7 @@ func (h *handler) imageProxy(w http.ResponseWriter, r *http.Request) {
etag := crypto.HashFromBytes(decodedURL)
response.New(w, r).WithCaching(etag, 72*time.Hour, func(b *response.Builder) {
b.WithHeader("Content-Security-Policy", `default-src 'self'`)
b.WithHeader("Content-Type", resp.Header.Get("Content-Type"))
b.WithBody(resp.Body)
b.WithoutCompression()