oss/miniflux-v2
oss/miniflux-v2
1
0
Fork 0
mirror of https://github.com/miniflux/v2.git synced 2025-10-05 19:31:01 +00:00
Code Wiki Activity
miniflux-v2/internal
History
Julien Voisin bf7f55e28a
feat(template): extract CSP to a function, systematically use nonces, and use default-src 'none' instead of self 
Having the CSP built in a function instead of in the template makes it easier
to properly construct it. This was also the opportunity to switch from
default-src 'self' to default-src 'none', to deny everything that isn't
explicitly allowed, instead of allowing everything coming from 'self'.

Moreover, as Miniflux is shoving the content of feeds in the same origin as
itself, using self doesn't do much security-wise. It's much better to
systematically use a nonce-based policy, so that an attacker able to bypass the
sanitization will have to guess the nonce to gain arbitrary javascript
execution.
2025-10-02 19:38:37 -07:00
..
api fix(api): do not return removed entries 2025-08-23 15:17:37 -07:00
cli refactor(config): rewrite config parser 2025-09-14 10:51:04 -07:00
config refactor(config): rewrite config parser 2025-09-14 10:51:04 -07:00
crypto perf(reader): use a non-cryptographic hash when possible 2025-06-18 20:28:23 -07:00
database refactor(database): get rid of the dependency on hstore 2025-09-30 17:41:56 -07:00
fever fix(fever): fix typo in variable name 2025-09-14 11:11:41 -07:00
googlereader refactor: avoid unnecessary usage of Printf 2025-09-08 11:54:16 -07:00
http refactor(config): rewrite config parser 2025-09-14 10:51:04 -07:00
integration feat(integration): add integration with archive.org 2025-09-26 19:46:12 -07:00
locale feat(integration): add integration with archive.org 2025-09-26 19:46:12 -07:00
mediaproxy refactor(config): rewrite config parser 2025-09-14 10:51:04 -07:00
metric refactor(metric): use time.Duration for refresh duration 2025-08-20 19:45:24 -07:00
model feat(integration): add integration with archive.org 2025-09-26 19:46:12 -07:00
oauth2 feat(oidc): use preferred_username first instead of email claim 2025-06-08 18:05:47 -07:00
proxyrotator refactor(proxyrotator): simplify mutex handling 2025-07-07 15:52:16 -07:00
reader feat(rewrite): add remove_img_blur_params rule 2025-10-01 20:41:08 -07:00
storage feat(integration): add integration with archive.org 2025-09-26 19:46:12 -07:00
systemd Move internal packages to an internal folder 2023-08-10 20:29:34 -07:00
template feat(template): extract CSP to a function, systematically use nonces, and use default-src 'none' instead of self 2025-10-02 19:38:37 -07:00
timezone fix(timezone): make sure legacy time zones are no longer used 2025-09-12 16:20:27 -07:00
ui fix(css): avoid layout overflow when external link is too long 2025-09-28 13:34:18 -07:00
urllib fix(icon): implement better handling of relative icon URLs within a subfolder 2025-09-09 20:18:50 -07:00
validator fix(timezone): make sure legacy time zones are no longer used 2025-09-12 16:20:27 -07:00
version test(version): add a test to enforce the version format 2025-08-18 19:51:09 -07:00
worker feat: add POLLING_LIMIT_PER_HOST to limit concurrent requests per host 2025-08-08 12:33:46 -07:00