From 2935aaef450901d315fba1614cc66e1f0ad80b0d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20Guillot?= <f@miniflux.net>
Date: Sun, 2 Jan 2022 17:24:49 -0800
Subject: [PATCH] Add Content-Security-Policy header to feed icon url

- SVG images could contains Javascript. This CSP blocks inline script.
- Feed icons are served using <img> tag and Javascript is not interpreted.

See https://developer.mozilla.org/en-US/docs/Web/SVG/SVG_as_an_Image#restrictions
---
 ui/feed_icon.go | 1 +
 ui/proxy.go     | 1 +
 2 files changed, 2 insertions(+)

diff --git a/ui/feed_icon.go b/ui/feed_icon.go
index 4b5f30f7..66c47075 100644
--- a/ui/feed_icon.go
+++ b/ui/feed_icon.go
@@ -27,6 +27,7 @@ func (h *handler) showIcon(w http.ResponseWriter, r *http.Request) {
 	}
 
 	response.New(w, r).WithCaching(icon.Hash, 72*time.Hour, func(b *response.Builder) {
+		b.WithHeader("Content-Security-Policy", `default-src 'self'`)
 		b.WithHeader("Content-Type", icon.MimeType)
 		b.WithBody(icon.Content)
 		b.WithoutCompression()
diff --git a/ui/proxy.go b/ui/proxy.go
index 0c422437..0f7630ce 100644
--- a/ui/proxy.go
+++ b/ui/proxy.go
@@ -67,6 +67,7 @@ func (h *handler) imageProxy(w http.ResponseWriter, r *http.Request) {
 	etag := crypto.HashFromBytes(decodedURL)
 
 	response.New(w, r).WithCaching(etag, 72*time.Hour, func(b *response.Builder) {
+		b.WithHeader("Content-Security-Policy", `default-src 'self'`)
 		b.WithHeader("Content-Type", resp.Header.Get("Content-Type"))
 		b.WithBody(resp.Body)
 		b.WithoutCompression()