Merge branch 'CSP-no-inline' into dev

author: Alexandre Alapetite <alexandre@alapetite.fr> 2016-02-21 21:25:48 +0100
committer: Alexandre Alapetite <alexandre@alapetite.fr> 2016-02-21 21:25:48 +0100
commit: bb3f9e67ed0213fa32205213a51549872a2f5e84 (patch)
tree: a31a6e2d0987b361966b08f305d4e9fb89c6644c
parent: 8d8bf4647bba0a0be2336f3eaeb8e6a70bfb9a37 (diff)
parent: 38c2d671e3480b8e9fb38491797e44fdea317006 (diff)
2 files changed, 11 insertions, 4 deletions
diff --git a/app/FreshRSS.php b/app/FreshRSS.php
index 62ea18d96..bfbd7a6eb 100644
--- a/app/FreshRSS.php
+++ b/app/FreshRSS.php
@@ -111,10 +111,16 @@ class FreshRSS extends Minz_FrontController {
 	}
 
 	public static function preLayout() {
-		if (Minz_Request::controllerName() === 'stats') {
-			header("Content-Security-Policy: default-src 'self'; style-src 'self' 'unsafe-inline'");
-		} else {
-			header("Content-Security-Policy: default-src 'self'; child-src *; img-src * data:; media-src *");
+		switch (Minz_Request::controllerName()) {
+			case 'index':
+				header("Content-Security-Policy: default-src 'self'; child-src *; img-src * data:; media-src *");
+				break;
+			case 'stats':
+				header("Content-Security-Policy: default-src 'self'; style-src 'self' 'unsafe-inline'");
+				break;
+			default:
+				header("Content-Security-Policy: default-src 'self'");
+				break;
 		}
 	}
 
diff --git a/app/install.php b/app/install.php
index 03f6e2199..a4a888af2 100644
--- a/app/install.php
+++ b/app/install.php
@@ -2,6 +2,7 @@
 if (function_exists('opcache_reset')) {
 	opcache_reset();
 }
+header("Content-Security-Policy: default-src 'self'");
 
 define('BCRYPT_COST', 9);
author	Alexandre Alapetite <alexandre@alapetite.fr>	2016-02-21 21:25:48 +0100
committer	Alexandre Alapetite <alexandre@alapetite.fr>	2016-02-21 21:25:48 +0100
commit	bb3f9e67ed0213fa32205213a51549872a2f5e84 (patch)
tree	a31a6e2d0987b361966b08f305d4e9fb89c6644c
parent	8d8bf4647bba0a0be2336f3eaeb8e6a70bfb9a37 (diff)
parent	38c2d671e3480b8e9fb38491797e44fdea317006 (diff)