mirror of
https://github.com/FreshRSS/FreshRSS.git
synced 2026-07-17 10:33:04 -04:00
CSP compatibility with Firefox older than 45
https://github.com/FreshRSS/FreshRSS/pull/1075 https://github.com/FreshRSS/FreshRSS/pull/1078 https://developer.mozilla.org/en-US/Firefox/Releases/45#Security https://bugzilla.mozilla.org/show_bug.cgi?id=1045891
This commit is contained in:
@@ -3,7 +3,7 @@
|
||||
## 2016-03-xx FreshRSS 1.3.1-beta
|
||||
|
||||
* Security
|
||||
* Added CSP `Content-Security-Policy: default-src 'self'; child-src *; img-src * data:; media-src *` [#1075](https://github.com/FreshRSS/FreshRSS/pull/1075)
|
||||
* Added CSP `Content-Security-Policy: default-src 'self'; child-src *; frame-src *; img-src * data:; media-src *` [#1075](https://github.com/FreshRSS/FreshRSS/pull/1075)
|
||||
* Features
|
||||
* New list of domains for which to force HTTPS (for images, videos, iframes…) defined in `./data/force-https.default.txt` and `./data/force-https.txt` [#1083](https://github.com/FreshRSS/FreshRSS/issues/1083)
|
||||
* In particular useful for privacy and to avoid mixed content errors, e.g. to see YouTube videos when FreshRSS is in HTTPS
|
||||
|
||||
@@ -113,7 +113,7 @@ class FreshRSS extends Minz_FrontController {
|
||||
public static function preLayout() {
|
||||
switch (Minz_Request::controllerName()) {
|
||||
case 'index':
|
||||
header("Content-Security-Policy: default-src 'self'; child-src *; img-src * data:; media-src *");
|
||||
header("Content-Security-Policy: default-src 'self'; child-src *; frame-src *; img-src * data:; media-src *");
|
||||
break;
|
||||
case 'stats':
|
||||
header("Content-Security-Policy: default-src 'self'; style-src 'self' 'unsafe-inline'");
|
||||
|
||||
Reference in New Issue
Block a user