Add a Mastodon share (#1674)

See #1521
author: Alexis Degrugillier <aledeg@users.noreply.github.com> 2017-11-04 21:19:51 +0100
committer: Alexandre Alapetite <alexandre@alapetite.fr> 2017-11-04 21:19:51 +0100
commit: afffbfce0758391a52c8c0c5b9766643a49065e8 (patch)
tree: 0e9e37ab03d954672f45783d22c58c78876b0531 /app/FreshRSS.php
parent: 05b1901fcdbb051077d12f776980484d3b782970 (diff)
1 files changed, 7 insertions, 1 deletions
diff --git a/app/FreshRSS.php b/app/FreshRSS.php
index 90d6fae06..8f4ee334c 100644
--- a/app/FreshRSS.php
+++ b/app/FreshRSS.php
@@ -111,7 +111,13 @@ class FreshRSS extends Minz_FrontController {
 	public static function preLayout() {
 		switch (Minz_Request::controllerName()) {
 			case 'index':
-				header("Content-Security-Policy: default-src 'self'; child-src *; frame-src *; img-src * data:; media-src *");
+				$urlToAuthorize = array_filter(array_map(function($a) {
+					if ('POST' === $a['method']) {
+						return $a['url'];
+					}
+				}, FreshRSS_Context::$user_conf->sharing));
+				$connectSrc = count($urlToAuthorize) ? sprintf("; connect-src 'self' %s", implode(' ', $urlToAuthorize)) : '';
+				header(sprintf("Content-Security-Policy: default-src 'self'; child-src *; frame-src *; img-src * data:; media-src *%s", $connectSrc));
 				break;
 			case 'stats':
 				header("Content-Security-Policy: default-src 'self'; style-src 'self' 'unsafe-inline'");
author	Alexis Degrugillier <aledeg@users.noreply.github.com>	2017-11-04 21:19:51 +0100
committer	Alexandre Alapetite <alexandre@alapetite.fr>	2017-11-04 21:19:51 +0100
commit	afffbfce0758391a52c8c0c5b9766643a49065e8 (patch)
tree	0e9e37ab03d954672f45783d22c58c78876b0531 /app/FreshRSS.php
parent	05b1901fcdbb051077d12f776980484d3b782970 (diff)