mirror of
https://github.com/miniflux/v2.git
synced 2025-08-26 18:21:01 +00:00
feat(js): tighten the trusted types policy
- Implement a better/simpler polyfill for web browsers that don't supported trusted types yet - Use two separate policies: one to create HTML, another to create/use script urls - Instead of having the policy live in the top-level scope, they're now declared at the lowest possible scope, right before they're used, making them inaccessible outside of it. This puts their usage completely out of reach of an attacker unable to gain some control outside of those two (small) scopes, and thus removes the need to tighten the policies. - Remove the now-unused tt.js file This has been tested on Firefox (doesn't support trusted types) and on Chromium (does support trusted types).
This commit is contained in:
jvoisin
Frédéric Guillot
parent
8e1d0bb693
commit
da9c3a4032
4 changed files with 15 additions and 18 deletions
|
|
@ -121,7 +121,6 @@ func GenerateStylesheetsBundles() error {
|
|||
func GenerateJavascriptBundles(webauthnEnabled bool) error {
|
||||
var bundles = map[string][]string{
|
||||
"app": {
|
||||
"js/tt.js", // has to be first
|
||||
"js/touch_handler.js",
|
||||
"js/keyboard_handler.js",
|
||||
"js/modal_handler.js",
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue