From 4560af165e7fa25dddd46f49ad4a0d9f3149336c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20Guillot?= <fred@miniflux.net>
Date: Sat, 25 Nov 2017 18:21:02 -0800
Subject: [PATCH] Add Content-Security-Policy header

---
 server/core/response.go | 1 +
 1 file changed, 1 insertion(+)

diff --git a/server/core/response.go b/server/core/response.go
index 3bce9d91..4aef8af0 100644
--- a/server/core/response.go
+++ b/server/core/response.go
@@ -69,6 +69,7 @@ func (r *Response) commonHeaders() {
 	r.writer.Header().Set("X-XSS-Protection", "1; mode=block")
 	r.writer.Header().Set("X-Content-Type-Options", "nosniff")
 	r.writer.Header().Set("X-Frame-Options", "DENY")
+	r.writer.Header().Set("Content-Security-Policy", "default-src 'self'; img-src *; media-src *; frame-src *")
 }
 
 // NewResponse returns a new Response.