CSP compatibility with Firefox older than 45

https://github.com/FreshRSS/FreshRSS/pull/1075
https://github.com/FreshRSS/FreshRSS/pull/1078
https://developer.mozilla.org/en-US/Firefox/Releases/45#Security
https://bugzilla.mozilla.org/show_bug.cgi?id=1045891

2 files changed, 2 insertions, 2 deletions

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 096c930d1..43823b536 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -3,7 +3,7 @@
 ## 2016-03-xx FreshRSS 1.3.1-beta
 
 * Security
-	* Added CSP `Content-Security-Policy: default-src 'self'; child-src *; img-src * data:; media-src *` [#1075](https://github.com/FreshRSS/FreshRSS/pull/1075)
+	* Added CSP `Content-Security-Policy: default-src 'self'; child-src *; frame-src *; img-src * data:; media-src *` [#1075](https://github.com/FreshRSS/FreshRSS/pull/1075)
 * Features
 	* New list of domains for which to force HTTPS (for images, videos, iframes…) defined in `./data/force-https.default.txt` and `./data/force-https.txt` [#1083](https://github.com/FreshRSS/FreshRSS/issues/1083)
 		* In particular useful for privacy and to avoid mixed content errors, e.g. to see YouTube videos when FreshRSS is in HTTPS
diff --git a/app/FreshRSS.php b/app/FreshRSS.php
index bfbd7a6eb..d6f4f4062 100644
--- a/app/FreshRSS.php
+++ b/app/FreshRSS.php
@@ -113,7 +113,7 @@ class FreshRSS extends Minz_FrontController {
 	public static function preLayout() {
 		switch (Minz_Request::controllerName()) {
 			case 'index':
-				header("Content-Security-Policy: default-src 'self'; child-src *; img-src * data:; media-src *");
+				header("Content-Security-Policy: default-src 'self'; child-src *; frame-src *; img-src * data:; media-src *");
 				break;
 			case 'stats':
 				header("Content-Security-Policy: default-src 'self'; style-src 'self' 'unsafe-inline'");