diff options
author | Frédéric Guillot <fred@miniflux.net> | 2017-12-04 20:46:49 -0800 |
---|---|---|
committer | Frédéric Guillot <fred@miniflux.net> | 2017-12-04 20:46:49 -0800 |
commit | 321d7182ae436dfea1a81a7f6e1444bded42fcf8 (patch) | |
tree | 94f01519827bd462c3fec64487a4c22d2df855e1 | |
parent | 0e6fc2db1ec04d82154517202a5cc1339dcce250 (diff) |
Add child-src CSP directive
-rw-r--r-- | server/core/response.go | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/server/core/response.go b/server/core/response.go index fc15e42..70050a1 100644 --- a/server/core/response.go +++ b/server/core/response.go @@ -69,7 +69,10 @@ func (r *Response) commonHeaders() { r.writer.Header().Set("X-XSS-Protection", "1; mode=block") r.writer.Header().Set("X-Content-Type-Options", "nosniff") r.writer.Header().Set("X-Frame-Options", "DENY") - r.writer.Header().Set("Content-Security-Policy", "default-src 'self'; img-src *; media-src *; frame-src *") + + // Even if the directive "frame-src" has been deprecated in Firefox, + // we keep it to stay compatible with other browsers. + r.writer.Header().Set("Content-Security-Policy", "default-src 'self'; img-src *; media-src *; frame-src *; child-src *") } // NewResponse returns a new Response. |