Merge branch 'CSP-no-inline' into dev

author: Alexandre Alapetite <alexandre@alapetite.fr> 2016-02-21 19:15:41 +0100
committer: Alexandre Alapetite <alexandre@alapetite.fr> 2016-02-21 19:15:41 +0100
commit: 8d8bf4647bba0a0be2336f3eaeb8e6a70bfb9a37 (patch)
tree: f55d65a8374900cd0edd78db4c53e1fd4087775d /app/FreshRSS.php
parent: a5beaee23e7d092706b4f13e2ed0e0fb440c3046 (diff)
parent: cb913a3a76daf357ad36ca39c26b4aaf800211d2 (diff)
1 files changed, 5 insertions, 1 deletions
diff --git a/app/FreshRSS.php b/app/FreshRSS.php
index a6ed2a306..62ea18d96 100644
--- a/app/FreshRSS.php
+++ b/app/FreshRSS.php
@@ -111,7 +111,11 @@ class FreshRSS extends Minz_FrontController {
 	}
 
 	public static function preLayout() {
-		header("Content-Security-Policy: default-src 'self'; child-src *; img-src * data:; media-src *; style-src 'self' 'unsafe-inline'");
+		if (Minz_Request::controllerName() === 'stats') {
+			header("Content-Security-Policy: default-src 'self'; style-src 'self' 'unsafe-inline'");
+		} else {
+			header("Content-Security-Policy: default-src 'self'; child-src *; img-src * data:; media-src *");
+		}
 	}
 
 	private function loadNotifications() {
author	Alexandre Alapetite <alexandre@alapetite.fr>	2016-02-21 19:15:41 +0100
committer	Alexandre Alapetite <alexandre@alapetite.fr>	2016-02-21 19:15:41 +0100
commit	8d8bf4647bba0a0be2336f3eaeb8e6a70bfb9a37 (patch)
tree	f55d65a8374900cd0edd78db4c53e1fd4087775d /app/FreshRSS.php
parent	a5beaee23e7d092706b4f13e2ed0e0fb440c3046 (diff)
parent	cb913a3a76daf357ad36ca39c26b4aaf800211d2 (diff)