mirror of
https://github.com/miniflux/v2.git
synced 2025-09-15 18:57:04 +00:00
Enable trusted-types
This commit adds a policy, and make use of it in the Content-Security-Policy. I've tested it the best I could, both on a modern browser supporting trusted-types (Chrome) and on one that doesn't (firefox). Thanks to @lweichselbaum for giving me a hand to wrap this up!
This commit is contained in:
parent
beb8c80787
commit
ed20771194
5 changed files with 20 additions and 4 deletions
|
@ -36,10 +36,10 @@
|
|||
|
||||
{{ if and .user .user.Stylesheet }}
|
||||
{{ $stylesheetNonce := nonce }}
|
||||
<meta http-equiv="Content-Security-Policy" content="default-src 'self'; img-src * data:; media-src *; frame-src *; style-src 'self' 'nonce-{{ $stylesheetNonce }}'">
|
||||
<meta http-equiv="Content-Security-Policy" content="default-src 'self'; img-src * data:; media-src *; frame-src *; style-src 'self' 'nonce-{{ $stylesheetNonce }}'; require-trusted-types-for 'script'; trusted-types ttpolicy;">
|
||||
<style nonce="{{ $stylesheetNonce }}">{{ .user.Stylesheet | safeCSS }}</style>
|
||||
{{ else }}
|
||||
<meta http-equiv="Content-Security-Policy" content="default-src 'self'; img-src * data:; media-src *; frame-src *">
|
||||
<meta http-equiv="Content-Security-Policy" content="default-src 'self'; img-src * data:; media-src *; frame-src *; require-trusted-types-for 'script'; trusted-types ttpolicy;">
|
||||
{{ end }}
|
||||
|
||||
<script src="{{ route "javascript" "name" "app" "checksum" .app_js_checksum }}" defer></script>
|
||||
|
|
Loading…
Add table
Add a link
Reference in a new issue