Merge pull request #1119 from FreshRSS/dev1.3.1-beta

Merge dev in 1.3.1-beta
author: Alexandre Alapetite <alexandre@alapetite.fr> 2016-03-11 22:57:20 +0100
committer: Alexandre Alapetite <alexandre@alapetite.fr> 2016-03-11 22:57:20 +0100
commit: 8dcc0fd65a36adedb12e5d54bafb39e7e553d38b (patch)
tree: bf47fd99928a6782a309cdd1171516029d4f9611 /app/FreshRSS.php
parent: 919c9c83013ea310f01c309f00dea3f8afa9033e (diff)
parent: 8f4c61a4154641ac22e6d541b6994add3c4803cb (diff)
1 files changed, 15 insertions, 0 deletions
diff --git a/app/FreshRSS.php b/app/FreshRSS.php
index 044de9cd4..bafa970da 100644
--- a/app/FreshRSS.php
+++ b/app/FreshRSS.php
@@ -110,6 +110,21 @@ class FreshRSS extends Minz_FrontController {
 		}
 	}
 
+	public static function preLayout() {
+		switch (Minz_Request::controllerName()) {
+			case 'index':
+				header("Content-Security-Policy: default-src 'self'; child-src *; frame-src *; img-src * data:; media-src *");
+				break;
+			case 'stats':
+				header("Content-Security-Policy: default-src 'self'; style-src 'self' 'unsafe-inline'");
+				break;
+			default:
+				header("Content-Security-Policy: default-src 'self'");
+				break;
+		}
+		header("X-Content-Type-Options: nosniff");
+	}
+
 	private function loadNotifications() {
 		$notif = Minz_Session::param('notification');
 		if ($notif) {
author	Alexandre Alapetite <alexandre@alapetite.fr>	2016-03-11 22:57:20 +0100
committer	Alexandre Alapetite <alexandre@alapetite.fr>	2016-03-11 22:57:20 +0100
commit	8dcc0fd65a36adedb12e5d54bafb39e7e553d38b (patch)
tree	bf47fd99928a6782a309cdd1171516029d4f9611 /app/FreshRSS.php
parent	919c9c83013ea310f01c309f00dea3f8afa9033e (diff)
parent	8f4c61a4154641ac22e6d541b6994add3c4803cb (diff)