diff options
| author |  Alexandre Alapetite <alexandre@alapetite.fr>
| 2017-12-17 20:28:04 +0100 |
|---|---|---|
| committer |  GitHub <noreply@github.com>
| 2017-12-17 20:28:04 +0100 |
| commit | 60f56539c3f30fd3f7ba4f2a3570f7029ac93e5f (patch) | |
| tree | 1e78bfac7042dceb63898e2215db8fb0c1d7745d /app/FreshRSS.php | |
| parent | ceda55c75b158fc1cf4813fe0f258527754b9289 (diff) | |
| parent | 0b1516af91792f86868689392f72ad4b6e32cdcf (diff) | |
Merge pull request #1720 from FreshRSS/dev
FreshRSS 1.9.0
Diffstat (limited to 'app/FreshRSS.php')
| -rw-r--r-- | app/FreshRSS.php | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/app/FreshRSS.php b/app/FreshRSS.php index 90d6fae06..f53c85bfb 100644 --- a/app/FreshRSS.php +++ b/app/FreshRSS.php @@ -111,7 +111,13 @@ class FreshRSS extends Minz_FrontController { public static function preLayout() { switch (Minz_Request::controllerName()) { case 'index': - header("Content-Security-Policy: default-src 'self'; child-src *; frame-src *; img-src * data:; media-src *"); + $urlToAuthorize = array_filter(array_map(function ($a) { + if (isset($a['method']) && $a['method'] === 'POST') { + return $a['url']; + } + }, FreshRSS_Context::$user_conf->sharing)); + $connectSrc = count($urlToAuthorize) ? sprintf("; connect-src 'self' %s", implode(' ', $urlToAuthorize)) : ''; + header(sprintf("Content-Security-Policy: default-src 'self'; child-src *; frame-src *; img-src * data:; media-src *%s", $connectSrc)); break; case 'stats': header("Content-Security-Policy: default-src 'self'; style-src 'self' 'unsafe-inline'"); |