diff options
Diffstat (limited to 'app/FreshRSS.php')
| -rw-r--r-- | app/FreshRSS.php | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/app/FreshRSS.php b/app/FreshRSS.php index 90d6fae06..f53c85bfb 100644 --- a/app/FreshRSS.php +++ b/app/FreshRSS.php @@ -111,7 +111,13 @@ class FreshRSS extends Minz_FrontController { public static function preLayout() { switch (Minz_Request::controllerName()) { case 'index': - header("Content-Security-Policy: default-src 'self'; child-src *; frame-src *; img-src * data:; media-src *"); + $urlToAuthorize = array_filter(array_map(function ($a) { + if (isset($a['method']) && $a['method'] === 'POST') { + return $a['url']; + } + }, FreshRSS_Context::$user_conf->sharing)); + $connectSrc = count($urlToAuthorize) ? sprintf("; connect-src 'self' %s", implode(' ', $urlToAuthorize)) : ''; + header(sprintf("Content-Security-Policy: default-src 'self'; child-src *; frame-src *; img-src * data:; media-src *%s", $connectSrc)); break; case 'stats': header("Content-Security-Policy: default-src 'self'; style-src 'self' 'unsafe-inline'"); |