Julien Voisin bf7f55e28a feat(template): extract CSP to a function, systematically use nonces, and use default-src 'none' instead of self ... Having the CSP built in a function instead of in the template makes it easier to properly construct it. This was also the opportunity to switch from default-src 'self' to default-src 'none', to deny everything that isn't explicitly allowed, instead of allowing everything coming from 'self'. Moreover, as Miniflux is shoving the content of feeds in the same origin as itself, using self doesn't do much security-wise. It's much better to systematically use a nonce-based policy, so that an attacker able to bypass the sanitization will have to guess the nonce to gain arbitrary javascript execution.		2025-10-02 19:38:37 -07:00
..
templates	feat(template): extract CSP to a function, systematically use nonces, and use default-src 'none' instead of self	2025-10-02 19:38:37 -07:00
engine.go	refactor: Replace "Bookmarks" with "Starred"	2025-08-20 20:49:45 -07:00
functions.go	feat(template): extract CSP to a function, systematically use nonces, and use default-src 'none' instead of self	2025-10-02 19:38:37 -07:00
functions_test.go	feat(template): extract CSP to a function, systematically use nonces, and use default-src 'none' instead of self	2025-10-02 19:38:37 -07:00