what is the use case?

link: FreshRSS/Extensions#261

I am a bit worried of having something like that in the core, which dynamically modifies CSP security headers.
What would be a typical location for your CSS file, in your personal use case, @Rambomst ?

I am a bit worried of having something like that in the core, which dynamically modifies CSP security headers. What would be a typical location for your CSS file, in your personal use case, @Rambomst ?

I have the CSS file sitting in another docker container on the same server though its referenced using a full domain https://example.com/my.css.

Since this is a user based plugin and the CSS URL entered will only be displayed to the current logged in user after they themselves have set the URL, would it be a huge concern? Perhaps a warning message about the potential perils of not using a domain under your control?

We should in particular double-check that this is not used for instance on the login screen, if used by the default user

My 2 cents here:
I am not a fan of having this security change inside a default delivered extension.
I understand the use case but to honest: If you have hundrets/thousands of CSS lines added why do not develop a new own theme? It is very simple to use the CSS files from exisiting themes and create new CSS files.

But open a potential stream into the web just for a very very very very rare use case makes me a bad gut feeling

@math-GH

but to honest: If you have hundrets/thousands of CSS lines added why do not develop a new own theme?

The stylesheet I am using is actually shared by a few applications so that's why I needed something like this over a custom theme.

But open a potential stream into the web just for a very very very very rare use case makes me a bad gut feeling

The only time anything is changed is if a user sets a URL otherwise the CSP values remain unchanged, but I also get where you are coming from. Originally I just had this as a custom extension but when I opened a PR to add my extension to the list of third party extensions available I was told to do this instead and that PR there hasn't been merged.

It is very simple to use the CSS files from exisiting themes and create new CSS files.

That's talking from the perspective of a server administrator. From the perspective of a user that isn't very simple but completely impossible.

But open a potential stream into the web just for a very very very very rare use case makes me a bad gut feeling

Imho the complete opposite of rare among the audience most likely to use FreshRSS.

@Rambomst

The only time anything is changed is if a user sets a URL otherwise the CSP values remain unchanged, but I also get where you are coming from. Originally I just had this as a custom extension but when I opened a PR to add my extension to the list of third party extensions available I was told to do this instead and that PR there hasn't been merged.

Imo it should either be part of CustomCSS or part of the server config and it doesn't make sense as a separate extension, but my expectation would be that if you disagreed you would've said so rather than jumping straight into implementing it in CustomCSS. ;-)