miniflux/ui/feed_icon.go
Frédéric Guillot 2935aaef45 Add Content-Security-Policy header to feed icon url
- SVG images could contains Javascript. This CSP blocks inline script.
- Feed icons are served using <img> tag and Javascript is not interpreted.

See https://developer.mozilla.org/en-US/docs/Web/SVG/SVG_as_an_Image#restrictions
2022-01-02 17:38:53 -08:00

36 lines
868 B
Go

// Copyright 2017 Frédéric Guillot. All rights reserved.
// Use of this source code is governed by the Apache 2.0
// license that can be found in the LICENSE file.
package ui // import "miniflux.app/ui"
import (
"net/http"
"time"
"miniflux.app/http/request"
"miniflux.app/http/response"
"miniflux.app/http/response/html"
)
func (h *handler) showIcon(w http.ResponseWriter, r *http.Request) {
iconID := request.RouteInt64Param(r, "iconID")
icon, err := h.store.IconByID(iconID)
if err != nil {
html.ServerError(w, r, err)
return
}
if icon == nil {
html.NotFound(w, r)
return
}
response.New(w, r).WithCaching(icon.Hash, 72*time.Hour, func(b *response.Builder) {
b.WithHeader("Content-Security-Policy", `default-src 'self'`)
b.WithHeader("Content-Type", icon.MimeType)
b.WithBody(icon.Content)
b.WithoutCompression()
b.Write()
})
}