aboutsummaryrefslogtreecommitdiffhomepage
diff options
context:
space:
mode:
authorGravatar Frédéric Guillot <fred@miniflux.net>2017-12-04 20:46:49 -0800
committerGravatar Frédéric Guillot <fred@miniflux.net>2017-12-04 20:46:49 -0800
commit321d7182ae436dfea1a81a7f6e1444bded42fcf8 (patch)
tree94f01519827bd462c3fec64487a4c22d2df855e1
parent0e6fc2db1ec04d82154517202a5cc1339dcce250 (diff)
Add child-src CSP directive
-rw-r--r--server/core/response.go5
1 files changed, 4 insertions, 1 deletions
diff --git a/server/core/response.go b/server/core/response.go
index fc15e42..70050a1 100644
--- a/server/core/response.go
+++ b/server/core/response.go
@@ -69,7 +69,10 @@ func (r *Response) commonHeaders() {
r.writer.Header().Set("X-XSS-Protection", "1; mode=block")
r.writer.Header().Set("X-Content-Type-Options", "nosniff")
r.writer.Header().Set("X-Frame-Options", "DENY")
- r.writer.Header().Set("Content-Security-Policy", "default-src 'self'; img-src *; media-src *; frame-src *")
+
+ // Even if the directive "frame-src" has been deprecated in Firefox,
+ // we keep it to stay compatible with other browsers.
+ r.writer.Header().Set("Content-Security-Policy", "default-src 'self'; img-src *; media-src *; frame-src *; child-src *")
}
// NewResponse returns a new Response.