From 992858b68f3a1feaae7940026676497f74cdbdcf Mon Sep 17 00:00:00 2001
From: Mischa POSLAWSKY <perl@shiar.org>
Date: Sun, 17 May 2020 02:40:31 +0200
Subject: [PATCH] page: restrict security policy of base-src

---
 page.php | 1 +
 1 file changed, 1 insertion(+)

diff --git a/page.php b/page.php
index dee5ee0..93b705f 100644
--- a/page.php
+++ b/page.php
@@ -162,6 +162,7 @@ if ($PageAccess = $Article->restricted) {
 header(sprintf('Content-Security-Policy: %s', implode('; ', [
 	"default-src 'self' 'unsafe-inline' http://cdn.ckeditor.com", # some overrides remain
 	"img-src 'self' data: http://cdn.ckeditor.com", # inline svg (in css)
+	"base-uri 'self'", # only local pages
 	"frame-ancestors 'none'", # prevent malicious embedding
 ])));
 
-- 
2.30.0