mirror of https://github.com/miniflux/v2.git
Compare commits
3 Commits
f7e372105e
...
fce4da79e1
Author | SHA1 | Date |
---|---|---|
John | fce4da79e1 | |
dependabot[bot] | 9233568da3 | |
John | 19fb9675a4 |
4
go.mod
4
go.mod
|
@ -11,7 +11,7 @@ require (
|
|||
github.com/gorilla/mux v1.8.1
|
||||
github.com/lib/pq v1.10.9
|
||||
github.com/prometheus/client_golang v1.19.0
|
||||
github.com/tdewolff/minify/v2 v2.20.19
|
||||
github.com/tdewolff/minify/v2 v2.20.20
|
||||
github.com/yuin/goldmark v1.7.1
|
||||
golang.org/x/crypto v0.22.0
|
||||
golang.org/x/net v0.24.0
|
||||
|
@ -38,7 +38,7 @@ require (
|
|||
github.com/prometheus/client_model v0.5.0 // indirect
|
||||
github.com/prometheus/common v0.48.0 // indirect
|
||||
github.com/prometheus/procfs v0.12.0 // indirect
|
||||
github.com/tdewolff/parse/v2 v2.7.12 // indirect
|
||||
github.com/tdewolff/parse/v2 v2.7.13 // indirect
|
||||
github.com/x448/float16 v0.8.4 // indirect
|
||||
golang.org/x/sys v0.19.0 // indirect
|
||||
google.golang.org/protobuf v1.33.0 // indirect
|
||||
|
|
8
go.sum
8
go.sum
|
@ -48,10 +48,10 @@ github.com/prometheus/procfs v0.12.0 h1:jluTpSng7V9hY0O2R9DzzJHYb2xULk9VTR1V1R/k
|
|||
github.com/prometheus/procfs v0.12.0/go.mod h1:pcuDEFsWDnvcgNzo4EEweacyhjeA9Zk3cnaOZAZEfOo=
|
||||
github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=
|
||||
github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
|
||||
github.com/tdewolff/minify/v2 v2.20.19 h1:tX0SR0LUrIqGoLjXnkIzRSIbKJ7PaNnSENLD4CyH6Xo=
|
||||
github.com/tdewolff/minify/v2 v2.20.19/go.mod h1:ulkFoeAVWMLEyjuDz1ZIWOA31g5aWOawCFRp9R/MudM=
|
||||
github.com/tdewolff/parse/v2 v2.7.12 h1:tgavkHc2ZDEQVKy1oWxwIyh5bP4F5fEh/JmBwPP/3LQ=
|
||||
github.com/tdewolff/parse/v2 v2.7.12/go.mod h1:3FbJWZp3XT9OWVN3Hmfp0p/a08v4h8J9W1aghka0soA=
|
||||
github.com/tdewolff/minify/v2 v2.20.20 h1:vhULb+VsW2twkplgsawAoUY957efb+EdiZ7zu5fUhhk=
|
||||
github.com/tdewolff/minify/v2 v2.20.20/go.mod h1:GYaLXFpIIwsX99apQHXfGdISUdlA98wmaoWxjT9C37k=
|
||||
github.com/tdewolff/parse/v2 v2.7.13 h1:iSiwOUkCYLNfapHoqdLcqZVgvQ0jrsao8YYKP/UJYTI=
|
||||
github.com/tdewolff/parse/v2 v2.7.13/go.mod h1:3FbJWZp3XT9OWVN3Hmfp0p/a08v4h8J9W1aghka0soA=
|
||||
github.com/tdewolff/test v1.0.11-0.20231101010635-f1265d231d52/go.mod h1:6DAvZliBAAnD7rhVgwaM7DE5/d9NMOAJ09SqYqeK4QE=
|
||||
github.com/tdewolff/test v1.0.11-0.20240106005702-7de5f7df4739 h1:IkjBCtQOOjIn03u/dMQK9g+Iw9ewps4mCl1nB8Sscbo=
|
||||
github.com/tdewolff/test v1.0.11-0.20240106005702-7de5f7df4739/go.mod h1:XPuWBzvdUzhCuxWO1ojpXsyzsA5bFoS3tO/Q3kFuTG8=
|
||||
|
|
|
@ -2109,3 +2109,21 @@ func TestParseConfigDumpOutput(t *testing.T) {
|
|||
t.Fatal(err)
|
||||
}
|
||||
}
|
||||
|
||||
func TestContentSecurityPolicy(t *testing.T) {
|
||||
os.Clearenv()
|
||||
os.Setenv("CONTENT_SECURITY_POLICY", "default-src 'self' fonts.googleapis.com fonts.gstatic.com; img-src * data:; media-src *; frame-src *; style-src 'self' fonts.googleapis.com fonts.gstatic.com 'nonce-%s'")
|
||||
|
||||
parser := NewParser()
|
||||
opts, err := parser.ParseEnvironmentVariables()
|
||||
if err != nil {
|
||||
t.Fatalf(`Parsing failure: %v`, err)
|
||||
}
|
||||
|
||||
expected := "default-src 'self' fonts.googleapis.com fonts.gstatic.com; img-src * data:; media-src *; frame-src *; style-src 'self' fonts.googleapis.com fonts.gstatic.com 'nonce-%s'"
|
||||
result := opts.ContentSecurityPolicy()
|
||||
|
||||
if result != expected {
|
||||
t.Fatalf(`Unexpected CONTENT_SECURITY_POLICY value, got %v instead of %v`, result, expected)
|
||||
}
|
||||
}
|
||||
|
|
|
@ -85,6 +85,7 @@ const (
|
|||
defaultWatchdog = true
|
||||
defaultInvidiousInstance = "yewtu.be"
|
||||
defaultWebAuthn = false
|
||||
defaultContentSecurityPolicy = "default-src 'self'; img-src * data:; media-src *; frame-src *; style-src 'self' 'nonce-%s'; require-trusted-types-for 'script'; trusted-types ttpolicy;"
|
||||
)
|
||||
|
||||
var defaultHTTPClientUserAgent = "Mozilla/5.0 (compatible; Miniflux/" + version.Version + "; +https://miniflux.app)"
|
||||
|
@ -169,6 +170,7 @@ type Options struct {
|
|||
invidiousInstance string
|
||||
mediaProxyPrivateKey []byte
|
||||
webAuthn bool
|
||||
contentSecurityPolicy string
|
||||
}
|
||||
|
||||
// NewOptions returns Options with default values.
|
||||
|
@ -244,6 +246,7 @@ func NewOptions() *Options {
|
|||
invidiousInstance: defaultInvidiousInstance,
|
||||
mediaProxyPrivateKey: crypto.GenerateRandomBytes(16),
|
||||
webAuthn: defaultWebAuthn,
|
||||
contentSecurityPolicy: defaultContentSecurityPolicy,
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -620,6 +623,11 @@ func (o *Options) FilterEntryMaxAgeDays() int {
|
|||
return o.filterEntryMaxAgeDays
|
||||
}
|
||||
|
||||
// ContentSecurityPolicy returns value for Content-Security-Policy meta tag.
|
||||
func (o *Options) ContentSecurityPolicy() string {
|
||||
return o.contentSecurityPolicy
|
||||
}
|
||||
|
||||
// SortedOptions returns options as a list of key value pairs, sorted by keys.
|
||||
func (o *Options) SortedOptions(redactSecret bool) []*Option {
|
||||
var keyValues = map[string]interface{}{
|
||||
|
@ -697,6 +705,7 @@ func (o *Options) SortedOptions(redactSecret bool) []*Option {
|
|||
"WORKER_POOL_SIZE": o.workerPoolSize,
|
||||
"YOUTUBE_EMBED_URL_OVERRIDE": o.youTubeEmbedUrlOverride,
|
||||
"WEBAUTHN": o.webAuthn,
|
||||
"CONTENT_SECURITY_POLICY": o.contentSecurityPolicy,
|
||||
}
|
||||
|
||||
keys := make([]string, 0, len(keyValues))
|
||||
|
|
|
@ -271,6 +271,8 @@ func (p *Parser) parseLines(lines []string) (err error) {
|
|||
p.opts.invidiousInstance = parseString(value, defaultInvidiousInstance)
|
||||
case "WEBAUTHN":
|
||||
p.opts.webAuthn = parseBool(value, defaultWebAuthn)
|
||||
case "CONTENT_SECURITY_POLICY":
|
||||
p.opts.contentSecurityPolicy = parseString(value, defaultContentSecurityPolicy)
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
@ -36,8 +36,13 @@
|
|||
|
||||
{{ if and .user .user.Stylesheet }}
|
||||
{{ $stylesheetNonce := nonce }}
|
||||
<meta http-equiv="Content-Security-Policy" content="default-src 'self'; img-src * data:; media-src *; frame-src *; style-src 'self' 'nonce-{{ $stylesheetNonce }}'; require-trusted-types-for 'script'; trusted-types ttpolicy;">
|
||||
<style nonce="{{ $stylesheetNonce }}">{{ .user.Stylesheet | safeCSS }}</style>
|
||||
{{ $containsNonce := contains .contentSecurityPolicy "nonce-%s" }}
|
||||
{{ if $containsNonce }}
|
||||
{{ noescape ( printf "<meta http-equiv=\"Content-Security-Policy\" content=\"%s\">" (printf .contentSecurityPolicy $stylesheetNonce ) ) }}
|
||||
{{ else }}
|
||||
{{ noescape ( printf "<meta http-equiv=\"Content-Security-Policy\" content=\"%s\">" .contentSecurityPolicy ) }}
|
||||
{{ end }}
|
||||
<style {{ if $containsNonce }}nonce="{{ $stylesheetNonce }}"{{end}}>{{ .user.Stylesheet | safeCSS }}</style>
|
||||
{{ else }}
|
||||
<meta http-equiv="Content-Security-Policy" content="default-src 'self'; img-src * data:; media-src *; frame-src *; require-trusted-types-for 'script'; trusted-types ttpolicy;">
|
||||
{{ end }}
|
||||
|
@ -58,7 +63,6 @@
|
|||
data-webauthn-delete-all-url="{{ route "webauthnDeleteAll" }}"
|
||||
{{ end }}
|
||||
{{ if .user }}{{ if not .user.KeyboardShortcuts }}data-disable-keyboard-shortcuts="true"{{ end }}{{ end }}>
|
||||
|
||||
{{ if .user }}
|
||||
<a class="skip-to-content-link" href="#main">{{ t "skip_to_content" }}</a>
|
||||
<header class="header">
|
||||
|
|
|
@ -46,5 +46,6 @@ func New(tpl *template.Engine, r *http.Request, sess *session.Session) *View {
|
|||
"sw_js_checksum": static.JavascriptBundleChecksums["service-worker"],
|
||||
"webauthn_js_checksum": static.JavascriptBundleChecksums["webauthn"],
|
||||
"webAuthnEnabled": config.Opts.WebAuthn(),
|
||||
"contentSecurityPolicy": config.Opts.ContentSecurityPolicy(),
|
||||
}}
|
||||
}
|
||||
|
|
|
@ -534,6 +534,15 @@ Default is 16 workers\&.
|
|||
YouTube URL which will be used for embeds\&.
|
||||
.br
|
||||
Default is https://www.youtube-nocookie.com/embed/\&.
|
||||
.TP
|
||||
.B CONTENT_SECURITY_POLICY
|
||||
Set custom value for Content-Security-Policy meta tag. Used when custom CSS is applied.
|
||||
.br
|
||||
It may contain "nonce-%s", where nonce will be placed\&.
|
||||
.br
|
||||
Default is "default-src 'self'; img-src * data:; media-src *; frame-src *; style-src 'self' 'nonce-%s'; require-trusted-types-for 'script'; trusted-types ttpolicy;"\&.
|
||||
.TP
|
||||
|
||||
.SH AUTHORS
|
||||
.P
|
||||
Miniflux is written and maintained by Fr\['e]d\['e]ric Guillot\&.
|
||||
|
|
Loading…
Reference in New Issue