From 7802fd33a627dc7c582df871cfa613d9be8f8788 Mon Sep 17 00:00:00 2001 From: Marien Fressinaud Date: Sat, 7 Dec 2019 19:29:23 +0100 Subject: tec: Allow to change CSP header from controllers For an extension, I needed to call a script from an external domain. Unfortunately, the CSP headers didn't allow this domain and I had to patch manually the FreshRSS FrontController for my extension. It's obviously not a long-term solution since it has nothing to do in the core of FRSS, and I don't want to apply this patch manually at each update. With this patch, I allow changing the CSP header from inside the controller actions. It allows extensions to modify headers. It's also an opportunity to remove a bit of code from the FrontController. I wasn't happy with the previous implementation anyhow. Reference: https://github.com/flusio/xExtension-Flus/commit/ed12d56#diff-ff12e33ed31b23bda327499fa6e84eccR143 --- app/FreshRSS.php | 17 ----------------- 1 file changed, 17 deletions(-) (limited to 'app/FreshRSS.php') diff --git a/app/FreshRSS.php b/app/FreshRSS.php index 8d079b268..886e30323 100644 --- a/app/FreshRSS.php +++ b/app/FreshRSS.php @@ -124,23 +124,6 @@ class FreshRSS extends Minz_FrontController { } public static function preLayout() { - switch (Minz_Request::controllerName()) { - case 'index': - $urlToAuthorize = array_filter(array_map(function ($a) { - if (isset($a['method']) && $a['method'] === 'POST') { - return $a['url']; - } - }, FreshRSS_Context::$user_conf->sharing)); - $connectSrc = count($urlToAuthorize) ? sprintf("; connect-src 'self' %s", implode(' ', $urlToAuthorize)) : ''; - header(sprintf("Content-Security-Policy: default-src 'self'; frame-src *; img-src * data:; media-src *%s", $connectSrc)); - break; - case 'stats': - header("Content-Security-Policy: default-src 'self'; style-src 'self' 'unsafe-inline'"); - break; - default: - header("Content-Security-Policy: default-src 'self'"); - break; - } header("X-Content-Type-Options: nosniff"); FreshRSS_Share::load(join_path(APP_PATH, 'shares.php')); -- cgit v1.2.3