Merge pull request #1078 from Alkarex/CSP-no-inline

Content-Security-Policy
author: Alexandre Alapetite <alexandre@alapetite.fr> 2016-02-28 12:13:19 +0100
committer: Alexandre Alapetite <alexandre@alapetite.fr> 2016-02-28 12:13:19 +0100
commit: 3b2f9533c363406087cf77c56db16a120b9523c7 (patch)
tree: 14743e94e95a6970e5dfe06bd5414deaed25d0ee /app/FreshRSS.php
parent: 830c5aad03ff4d0cfbde4fcf275b04de6c4f4019 (diff)
parent: 995cf58d249c6a2ddfd042cc5b509914295c882f (diff)
1 files changed, 14 insertions, 0 deletions
diff --git a/app/FreshRSS.php b/app/FreshRSS.php
index 044de9cd4..bfbd7a6eb 100644
--- a/app/FreshRSS.php
+++ b/app/FreshRSS.php
@@ -110,6 +110,20 @@ class FreshRSS extends Minz_FrontController {
 		}
 	}
 
+	public static function preLayout() {
+		switch (Minz_Request::controllerName()) {
+			case 'index':
+				header("Content-Security-Policy: default-src 'self'; child-src *; img-src * data:; media-src *");
+				break;
+			case 'stats':
+				header("Content-Security-Policy: default-src 'self'; style-src 'self' 'unsafe-inline'");
+				break;
+			default:
+				header("Content-Security-Policy: default-src 'self'");
+				break;
+		}
+	}
+
 	private function loadNotifications() {
 		$notif = Minz_Session::param('notification');
 		if ($notif) {
author	Alexandre Alapetite <alexandre@alapetite.fr>	2016-02-28 12:13:19 +0100
committer	Alexandre Alapetite <alexandre@alapetite.fr>	2016-02-28 12:13:19 +0100
commit	3b2f9533c363406087cf77c56db16a120b9523c7 (patch)
tree	14743e94e95a6970e5dfe06bd5414deaed25d0ee /app/FreshRSS.php
parent	830c5aad03ff4d0cfbde4fcf275b04de6c4f4019 (diff)
parent	995cf58d249c6a2ddfd042cc5b509914295c882f (diff)