From 7da0e70a7221a42fb8ff6534fc339b18f8e2daa1 Mon Sep 17 00:00:00 2001 From: Alexis Degrugillier Date: Sat, 30 Mar 2024 13:09:44 -0400 Subject: Add a way to modify CSP rules within an extension (#6246) This will allow to change CSP rules to authorize the use of external scripts. We might need to add some safeguard since it will be virtually possible to load any script even malicious one. --- docs/en/developers/03_Backend/05_Extensions.md | 13 +++++++++++++ 1 file changed, 13 insertions(+) (limited to 'docs') diff --git a/docs/en/developers/03_Backend/05_Extensions.md b/docs/en/developers/03_Backend/05_Extensions.md index 644420440..770ea29cc 100644 --- a/docs/en/developers/03_Backend/05_Extensions.md +++ b/docs/en/developers/03_Backend/05_Extensions.md @@ -164,6 +164,19 @@ The following events are available: * `post_update` (`function(none) -> none`): **TODO** add documentation. * `simplepie_before_init` (`function($simplePie, $feed) -> none`): **TODO** add documentation. +### Injecting CDN content + +When using the `init` method, it is possible to inject scripts from CDN using the `Minz_View::appendScript` directive. +FreshRSS will include the script in the page but will not load it since it will be blocked by the default content security policy (**CSP**). +To amend the existing CSP, you need to define the extension CSP policies: +```php +// in the extension.php file +protected array $csp_policies = [ + 'default-src' => 'example.org', +]; +``` +This will only amend the extension CSP to FreshRSS CSP. + ### Writing your own configure.phtml When you want to support user configurations for your extension or simply display some information, you have to create the `configure.phtml` file. -- cgit v1.2.3