From afffbfce0758391a52c8c0c5b9766643a49065e8 Mon Sep 17 00:00:00 2001
From: Alexis Degrugillier <aledeg@users.noreply.github.com>
Date: Sat, 4 Nov 2017 21:19:51 +0100
Subject: Add a Mastodon share (#1674)

See #1521
---
 app/FreshRSS.php | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

(limited to 'app/FreshRSS.php')

diff --git a/app/FreshRSS.php b/app/FreshRSS.php
index 90d6fae06..8f4ee334c 100644
--- a/app/FreshRSS.php
+++ b/app/FreshRSS.php
@@ -111,7 +111,13 @@ class FreshRSS extends Minz_FrontController {
 	public static function preLayout() {
 		switch (Minz_Request::controllerName()) {
 			case 'index':
-				header("Content-Security-Policy: default-src 'self'; child-src *; frame-src *; img-src * data:; media-src *");
+				$urlToAuthorize = array_filter(array_map(function($a) {
+					if ('POST' === $a['method']) {
+						return $a['url'];
+					}
+				}, FreshRSS_Context::$user_conf->sharing));
+				$connectSrc = count($urlToAuthorize) ? sprintf("; connect-src 'self' %s", implode(' ', $urlToAuthorize)) : '';
+				header(sprintf("Content-Security-Policy: default-src 'self'; child-src *; frame-src *; img-src * data:; media-src *%s", $connectSrc));
 				break;
 			case 'stats':
 				header("Content-Security-Policy: default-src 'self'; style-src 'self' 'unsafe-inline'");
-- 
cgit v1.2.3