i guess i'll elaborate on the subject of CSP in tt-rss because this isn't the first time this has been requested.
1. i'm not going to change the way i'm coding things so 'unsafe-inline' is going to be required
(btw i like how the attributes are prefixed unsafe- as to force the authors' mentality on everyone, it nicely shows how people involved in this standard are a bunch of condescending spergs using tumblr'esque debate tactics)
2. unsafe-eval seems to be required by Dojo which i have no control over. i don't think CSP allows to relax limits for specific scopes within origin URL.
3. tt-rss strips loading of external stylesheets and any other imaginable potentially harmful crap from RSS feeds so adding bandaid headers would have limited, iif any, effect.
of course, if won't hurt if something somehow slips through the cracks, but that would likely involve a compromised plugin or something else on your server which is a situation where you are completely fucked already anyway.
so, to resume, while i can commit something like the following code-block, other than making a bunch of sperglords feel a bit safer, it is unlikely to have any effect on tt-rss security.
Code: Select all
header("Content-Security-Policy: script-src 'self' 'unsafe-inline' 'unsafe-eval'");
should i? idk