From c531be87806a8b30b1347ef838e8617b05d3c86e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20Guillot?= Date: Fri, 28 Mar 2025 12:58:48 -0700 Subject: [PATCH] fix: update Content-Security-Policy to use 'sandbox' directive --- internal/googlereader/handler.go | 2 +- internal/http/response/html/html.go | 4 ++-- internal/ui/feed_icon.go | 2 +- internal/ui/proxy.go | 2 +- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/internal/googlereader/handler.go b/internal/googlereader/handler.go index 3fd8b888..2f40f8f4 100644 --- a/internal/googlereader/handler.go +++ b/internal/googlereader/handler.go @@ -751,7 +751,7 @@ func (h *handler) iconHandler(w http.ResponseWriter, r *http.Request) { } response.New(w, r).WithCaching(icon.Hash, 72*time.Hour, func(b *response.Builder) { - b.WithHeader("Content-Security-Policy", `default-src 'self'`) + b.WithHeader("Content-Security-Policy", `sandbox`) b.WithHeader("Content-Type", icon.MimeType) b.WithBody(icon.Content) if icon.MimeType != "image/svg+xml" { diff --git a/internal/http/response/html/html.go b/internal/http/response/html/html.go index eeaeb1ef..923ce2e3 100644 --- a/internal/http/response/html/html.go +++ b/internal/http/response/html/html.go @@ -37,7 +37,7 @@ func ServerError(w http.ResponseWriter, r *http.Request, err error) { builder := response.New(w, r) builder.WithStatus(http.StatusInternalServerError) - builder.WithHeader("Content-Security-Policy", `default-src 'self'`) + builder.WithHeader("Content-Security-Policy", `sandbox`) builder.WithHeader("Content-Type", "text/html; charset=utf-8") builder.WithHeader("Cache-Control", "no-cache, max-age=0, must-revalidate, no-store") builder.WithBody(err) @@ -61,7 +61,7 @@ func BadRequest(w http.ResponseWriter, r *http.Request, err error) { builder := response.New(w, r) builder.WithStatus(http.StatusBadRequest) - builder.WithHeader("Content-Security-Policy", `default-src 'self'`) + builder.WithHeader("Content-Security-Policy", `sandbox`) builder.WithHeader("Content-Type", "text/html; charset=utf-8") builder.WithHeader("Cache-Control", "no-cache, max-age=0, must-revalidate, no-store") builder.WithBody(err) diff --git a/internal/ui/feed_icon.go b/internal/ui/feed_icon.go index 89d74903..12db5f70 100644 --- a/internal/ui/feed_icon.go +++ b/internal/ui/feed_icon.go @@ -26,7 +26,7 @@ func (h *handler) showIcon(w http.ResponseWriter, r *http.Request) { } response.New(w, r).WithCaching(icon.Hash, 72*time.Hour, func(b *response.Builder) { - b.WithHeader("Content-Security-Policy", `default-src 'self'`) + b.WithHeader("Content-Security-Policy", `sandbox`) b.WithHeader("Content-Type", icon.MimeType) b.WithBody(icon.Content) if icon.MimeType != "image/svg+xml" { diff --git a/internal/ui/proxy.go b/internal/ui/proxy.go index 8c0f0f61..8973af67 100644 --- a/internal/ui/proxy.go +++ b/internal/ui/proxy.go @@ -144,7 +144,7 @@ func (h *handler) mediaProxy(w http.ResponseWriter, r *http.Request) { response.New(w, r).WithCaching(etag, 72*time.Hour, func(b *response.Builder) { b.WithStatus(resp.StatusCode) - b.WithHeader("Content-Security-Policy", `default-src 'self'`) + b.WithHeader("Content-Security-Policy", `sandbox`) b.WithHeader("Content-Type", resp.Header.Get("Content-Type")) if filename := path.Base(parsedMediaURL.Path); filename != "" {