diff options
| author |  Thomas Hufschmidt <11391961+Hufschmidt@users.noreply.github.com>
| 2026-01-17 22:28:56 +0100 |
|---|---|---|
| committer |  GitHub <noreply@github.com>
| 2026-01-17 22:28:56 +0100 |
| commit | 2cbb5f8db1d0764aba9a66997f940739e8bb7eb1 (patch) | |
| tree | 96483e4ba06766fef27f4afc410f56176c1cc256 | |
| parent | db16450b93e300c22867823a27fa5c02f59f03db (diff) | |
Update documentation in regards to CSP warnings (#8439)
* Add a reference to the check where the warning is triggered
Note:
This is the place where the admin sees the browser pointing to.
Adding this information here allows the admin to find the matching
documentation entry.
* Update Content-Security-Policy section of english ServerConfig documentation
Note:
This fixes some minor formating/typping issues and adds some clarity to
the fact that this warning is also triggered on correctly configured
hosts, simply due to the nature of how correctness of CSP rules are checked.
* Move CSP infor source-code comment into console.info
Note:
Improve visibility of why this is happening.
* Point towards static website documentation instead of git
This URL should also remain more fixed even accross new branches/releases.
Co-authored-by: Inverle <inverle@proton.me>
* Minor fixes
* Remove overwrite part
---------
Co-authored-by: Inverle <inverle@proton.me>
Co-authored-by: Alexandre Alapetite <alexandre@alapetite.fr>
| -rw-r--r-- | docs/en/admins/10_ServerConfig.md | 8 | ||||
| -rw-r--r-- | p/scripts/main.js | 2 |
2 files changed, 6 insertions, 4 deletions
diff --git a/docs/en/admins/10_ServerConfig.md b/docs/en/admins/10_ServerConfig.md index c907221ea..84dccd272 100644 --- a/docs/en/admins/10_ServerConfig.md +++ b/docs/en/admins/10_ServerConfig.md @@ -115,18 +115,18 @@ server { ## Security -Avoid overwriting the [`Content-Security-Policy`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/CSP) header with directives such as `more_set_headers "Content-Security-Policy: ..."` +Avoid overwriting the [`Content-Security-Policy`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/CSP) header with directives such as `more_set_headers "Content-Security-Policy: ..."` or `add_header 'Content-Security-Policy' '...'`. ✅ Example of good CSP: `default-src 'self'; frame-ancestors 'self'` ❌ Bad CSP: `upgrade-insecure-requests` -Debug CSP header: +Debug your own CSP header: * With DevTools network tab: press F12 * [CSP Evaluator](https://csp-evaluator.withgoogle.com/) -If you're aware of the risks and want to ignore the warning shown to admin users, change the `suppress_csp_warning` setting to `true` in `./data/config.php` +If you’re aware of the risks and want to ignore the warning shown to admin users, change the `suppress_csp_warning` setting to `true` in `./data/config.php`. -Note that FreshRSS already ships with a secure CSP configuration, therefore it's not necessary to make any adjustments to CSP unless you're writing an extension. +Note that FreshRSS already ships with a secure CSP configuration, therefore it’s not necessary to make any adjustments to CSP unless you’re writing an extension. For that, look into the [`Minz_ActionController::_csp`](https://github.com/FreshRSS/FreshRSS/blob/d9197d7e32a97f29829ffd4cf4371b1853e51fa2/lib/Minz/ActionController.php#L76-L96) function and use it in individual actions. diff --git a/p/scripts/main.js b/p/scripts/main.js index 3b47beb84..80fbd71fc 100644 --- a/p/scripts/main.js +++ b/p/scripts/main.js @@ -2327,6 +2327,8 @@ function init_csp_alert() { Function(); } catch (_) { // Exit if 'script-src' is set and 'unsafe-eval' isn't set in CSP + console.info(`If you see a 'unsafe-eval' warning, everything is working as intended: +see https://freshrss.github.io/FreshRSS/en/admins/10_ServerConfig.html#security`); return; } |