forks/miniflux
1
0
Fork 0
Code Releases Activity

Add child-src CSP directive

Browse source
This commit is contained in:
Frédéric Guillot 2017-12-04 20:46:49 -08:00
parent 0e6fc2db1e
commit 321d7182ae
1 changed files with 4 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
server/core/response.go
View file

@ -69,7 +69,10 @@ func (r *Response) commonHeaders() {
r.writer.Header().Set("X-XSS-Protection", "1; mode=block")
r.writer.Header().Set("X-Content-Type-Options", "nosniff")
r.writer.Header().Set("X-Frame-Options", "DENY")
r.writer.Header().Set("Content-Security-Policy", "default-src 'self'; img-src *; media-src *; frame-src *")
// Even if the directive "frame-src" has been deprecated in Firefox,
// we keep it to stay compatible with other browsers.
r.writer.Header().Set("Content-Security-Policy", "default-src 'self'; img-src *; media-src *; frame-src *; child-src *")
}
// NewResponse returns a new Response.