oss/miniflux-v2
oss/miniflux-v2
1
0
Fork 0
mirror of https://github.com/miniflux/v2.git synced 2025-06-27 16:36:00 +00:00
Code Wiki Activity

fix: update Content-Security-Policy to use 'sandbox' directive

Browse source
This commit is contained in:
Frédéric Guillot 2025-03-28 12:58:48 -07:00
parent 6e3cecc57e
commit c531be8780
4 changed files with 5 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

2
internal/googlereader/handler.go
View file

@ -751,7 +751,7 @@ func (h *handler) iconHandler(w http.ResponseWriter, r *http.Request) {
}
response.New(w, r).WithCaching(icon.Hash, 72*time.Hour, func(b *response.Builder) {
b.WithHeader("Content-Security-Policy", `default-src 'self'`)
b.WithHeader("Content-Security-Policy", `sandbox`)
b.WithHeader("Content-Type", icon.MimeType)
b.WithBody(icon.Content)
if icon.MimeType != "image/svg+xml" {

4
internal/http/response/html/html.go
View file

@ -37,7 +37,7 @@ func ServerError(w http.ResponseWriter, r *http.Request, err error) {
builder := response.New(w, r)
builder.WithStatus(http.StatusInternalServerError)
builder.WithHeader("Content-Security-Policy", `default-src 'self'`)
builder.WithHeader("Content-Security-Policy", `sandbox`)
builder.WithHeader("Content-Type", "text/html; charset=utf-8")
builder.WithHeader("Cache-Control", "no-cache, max-age=0, must-revalidate, no-store")
builder.WithBody(err)
@ -61,7 +61,7 @@ func BadRequest(w http.ResponseWriter, r *http.Request, err error) {
builder := response.New(w, r)
builder.WithStatus(http.StatusBadRequest)
builder.WithHeader("Content-Security-Policy", `default-src 'self'`)
builder.WithHeader("Content-Security-Policy", `sandbox`)
builder.WithHeader("Content-Type", "text/html; charset=utf-8")
builder.WithHeader("Cache-Control", "no-cache, max-age=0, must-revalidate, no-store")
builder.WithBody(err)

2
internal/ui/feed_icon.go
View file

@ -26,7 +26,7 @@ func (h *handler) showIcon(w http.ResponseWriter, r *http.Request) {
}
response.New(w, r).WithCaching(icon.Hash, 72*time.Hour, func(b *response.Builder) {
b.WithHeader("Content-Security-Policy", `default-src 'self'`)
b.WithHeader("Content-Security-Policy", `sandbox`)
b.WithHeader("Content-Type", icon.MimeType)
b.WithBody(icon.Content)
if icon.MimeType != "image/svg+xml" {

2
internal/ui/proxy.go
View file

@ -144,7 +144,7 @@ func (h *handler) mediaProxy(w http.ResponseWriter, r *http.Request) {
response.New(w, r).WithCaching(etag, 72*time.Hour, func(b *response.Builder) {
b.WithStatus(resp.StatusCode)
b.WithHeader("Content-Security-Policy", `default-src 'self'`)
b.WithHeader("Content-Security-Policy", `sandbox`)
b.WithHeader("Content-Type", resp.Header.Get("Content-Type"))
if filename := path.Base(parsedMediaURL.Path); filename != "" {