fix(security): use a more restrictive CSP for untrusted content

2025-09-15 18:57:04 +00:00 · 2025-03-29 19:43:06 -07:00 · 2025-03-29 19:43:06 -07:00 · cb695e653a
commit cb695e653a
parent f57949c9a2
4 changed files with 18 additions and 4 deletions
--- a/internal/ui/feed_icon.go
+++ b/internal/ui/feed_icon.go
@ -26,7 +26,7 @@ func (h *handler) showFeedIcon(w http.ResponseWriter, r *http.Request) {
 	}

 	response.New(w, r).WithCaching(icon.Hash, 72*time.Hour, func(b *response.Builder) {
-		b.WithHeader("Content-Security-Policy", `sandbox`)
+		b.WithHeader("Content-Security-Policy", response.ContentSecurityPolicyForUntrustedContent)
 		b.WithHeader("Content-Type", icon.MimeType)
 		b.WithBody(icon.Content)
 		if icon.MimeType != "image/svg+xml" {