Home Explore Help
Sign In
LBP
/
FressRSS
mirror of https://github.com/FreshRSS/FreshRSS.git
4
0
Fork 0
Files Issues 0 Wiki
Browse Source

frame-ancestors CSP (#7677)

Inverle 9 months ago
parent
aa45bcbe5a
commit
a6948218fb
8 changed files with 10 additions and 5 deletions
Split View Show Diff Stats
  1. 1 0
      app/Controllers/feedController.php
  2. 2 0
      app/Controllers/indexController.php
  3. 1 0
      app/Controllers/statsController.php
  4. 1 1
      app/install.php
  5. 2 1
      lib/Minz/ActionController.php
  6. 1 1
      lib/lib_rss.php
  7. 1 1
      p/f.php
  8. 1 1
      p/themes/.htaccess

+ 1 - 0
app/Controllers/feedController.php
View File 

@@ -1150,6 +1150,7 @@ class FreshRSS_feed_Controller extends FreshRSS_ActionController {
 
 
 		$this->_csp([
 
 			'default-src' => "'self'",
 
+			'frame-ancestors' => "'self'",
 
 			'frame-src' => '*',
 
 			'img-src' => '* data:',
 
 			'media-src' => '*',

+ 2 - 0
app/Controllers/indexController.php
View File 

@@ -50,6 +50,7 @@ class FreshRSS_index_Controller extends FreshRSS_ActionController {
 
 			'default-src' => "'self'",
 
 			'frame-src' => '*',
 
 			'img-src' => '* data:',
 
+			'frame-ancestors' => "'none'",
 
 			'media-src' => '*',
 
 		]);
 
 
@@ -138,6 +139,7 @@ class FreshRSS_index_Controller extends FreshRSS_ActionController {
 
 			'default-src' => "'self'",
 
 			'frame-src' => '*',
 
 			'img-src' => '* data:',
 
+			'frame-ancestors' => "'none'",
 
 			'media-src' => '*',
 
 		]);
 
 	}

+ 1 - 0
app/Controllers/statsController.php
View File 

@@ -29,6 +29,7 @@ class FreshRSS_stats_Controller extends FreshRSS_ActionController {
 
 
 		$this->_csp([
 
 			'default-src' => "'self'",
 
+			'frame-ancestors' => "'none'",
 
 			'img-src' => '* data:',
 
 			'style-src' => "'self' 'unsafe-inline'",
 
 		]);

+ 1 - 1
app/install.php
View File 

@@ -4,7 +4,7 @@ declare(strict_types=1);
 
 if (function_exists('opcache_reset')) {
 
 	opcache_reset();
 
 }
 
-header("Content-Security-Policy: default-src 'self'");
 
+header("Content-Security-Policy: default-src 'self'; frame-ancestors 'none'");
 
 header('Referrer-Policy: same-origin');
 
 
 require(LIB_PATH . '/lib_install.php');

+ 2 - 1
lib/Minz/ActionController.php
View File 

@@ -14,6 +14,7 @@ abstract class Minz_ActionController {
 
 	/** @var array<string,string> */
 
 	private static array $csp_default = [
 
 		'default-src' => "'self'",
 
+		'frame-ancestors' => "'none'",
 
 	];
 
 
 	/** @var array<string,string> */
 
@@ -66,7 +67,7 @@ abstract class Minz_ActionController {
 
 	 * @param array<string,string> $policies An array where keys are directives and values are sources.
 
 	 */
 
 	public static function _defaultCsp(array $policies): void {
 
-		if (!isset($policies['default-src'])) {
 
+		if (!isset($policies['default-src']) || !isset($policies['frame-ancestors'])) {
 
 			Minz_Log::warning('Default CSP policy is not declared', ADMIN_LOG);
 
 		}
 
 		self::$csp_default = $policies;

+ 1 - 1
lib/lib_rss.php
View File 

@@ -1010,7 +1010,7 @@ function errorMessageInfo(string $errorTitle, string $error = ''): string {
 
 		$details = "<pre>{$details}</pre>";
 
 	}
 
 
-	header("Content-Security-Policy: default-src 'self'");
 
+	header("Content-Security-Policy: default-src 'self'; frame-ancestors 'none'");
 
 	header('Referrer-Policy: same-origin');
 
 
 	return <<<MSG

+ 1 - 1
p/f.php
View File 

@@ -48,7 +48,7 @@ if ($ico_mtime == false || $ico_mtime < $txt_mtime || ($ico_mtime < time() - (mt
 
 	}
 
 }
 
 
-header("Content-Security-Policy: default-src 'none'; img-src 'self'; style-src 'self';");
 
+header("Content-Security-Policy: default-src 'none'; frame-ancestors 'none'; img-src 'self'; style-src 'self';");
 
 if (!httpConditional($ico_mtime, mt_rand(14, 21) * 86400, 2)) {
 
 	$ico_content_type = contentType($ico);
 
 	header('Content-Type: ' . $ico_content_type);

+ 1 - 1
p/themes/.htaccess
View File 

@@ -26,6 +26,6 @@
 
 
 <IfModule mod_headers.c>
 
 	<FilesMatch "\.svg$">
 
-		Header	set Content-Security-Policy "default-src 'self'; style-src 'self' 'unsafe-inline'"
 
+		Header	set Content-Security-Policy "default-src 'self'; frame-ancestors 'none'; style-src 'self' 'unsafe-inline'"
 
 	</FilesMatch>
 
 </IfModule>