CSP different policies per controller

FreshRSS#1075
Alkarex · Feb 21, 2016 · 38c2d67 · 38c2d67
1 parent cb913a3
commit 38c2d67
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 4 deletions.
diff --git a/app/FreshRSS.php b/app/FreshRSS.php
@@ -111,10 +111,16 @@ private function loadStylesAndScripts() {
 	}
 
 	public static function preLayout() {
-		if (Minz_Request::controllerName() === 'stats') {
-			header("Content-Security-Policy: default-src 'self'; style-src 'self' 'unsafe-inline'");
-		} else {
-			header("Content-Security-Policy: default-src 'self'; child-src *; img-src * data:; media-src *");
+		switch (Minz_Request::controllerName()) {
+			case 'index':
+				header("Content-Security-Policy: default-src 'self'; child-src *; img-src * data:; media-src *");
+				break;
+			case 'stats':
+				header("Content-Security-Policy: default-src 'self'; style-src 'self' 'unsafe-inline'");
+				break;
+			default:
+				header("Content-Security-Policy: default-src 'self'");
+				break;
 		}
 	}
 

diff --git a/app/install.php b/app/install.php
@@ -2,6 +2,7 @@
 if (function_exists('opcache_reset')) {
 	opcache_reset();
 }
+header("Content-Security-Policy: default-src 'self'");
 
 define('BCRYPT_COST', 9);