Skip to content

Commit

Permalink
Add Content-Security-Policy header to feed icon url
Browse files Browse the repository at this point in the history 
- SVG images could contains Javascript. This CSP blocks inline script.
- Feed icons are served using <img> tag and Javascript is not interpreted.

See https://developer.mozilla.org/en-US/docs/Web/SVG/SVG_as_an_Image#restrictions
  • Loading branch information
@fguillot
fguillot committed Jan 3, 2022
1 parent 33fd0a6 commit 2935aae
Show file tree
Hide file tree
Showing 2 changed files with 2 additions and 0 deletions.
1 change: 1 addition & 0 deletions ui/feed_icon.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,7 @@ func (h *handler) showIcon(w http.ResponseWriter, r *http.Request) {
}

response.New(w, r).WithCaching(icon.Hash, 72*time.Hour, func(b *response.Builder) {
b.WithHeader("Content-Security-Policy", `default-src 'self'`)
b.WithHeader("Content-Type", icon.MimeType)
b.WithBody(icon.Content)
b.WithoutCompression()
Expand Down
1 change: 1 addition & 0 deletions ui/proxy.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -67,6 +67,7 @@ func (h *handler) imageProxy(w http.ResponseWriter, r *http.Request) {
etag := crypto.HashFromBytes(decodedURL)

response.New(w, r).WithCaching(etag, 72*time.Hour, func(b *response.Builder) {
b.WithHeader("Content-Security-Policy", `default-src 'self'`)
b.WithHeader("Content-Type", resp.Header.Get("Content-Type"))
b.WithBody(resp.Body)
b.WithoutCompression()
Expand Down

0 comments on commit 2935aae

Please sign in to comment.