frame-ancestors CSP (#7677)

author: Inverle <inverle@proton.me> 2025-06-18 22:20:17 +0200
committer: GitHub <noreply@github.com> 2025-06-18 22:20:17 +0200
commit: a6948218fb1c66fe146c7651555e5a1f791c8112 (patch)
tree: a878349b1d2808d2ed7318aa34df0546e534690e
parent: aa45bcbe5a0a723c4b6adfb50139be0be6336d2b (diff)
8 files changed, 10 insertions, 5 deletions
diff --git a/app/Controllers/feedController.php b/app/Controllers/feedController.php
index 9769a6df0..35b209a4d 100755
--- a/app/Controllers/feedController.php
+++ b/app/Controllers/feedController.php
@@ -1150,6 +1150,7 @@ class FreshRSS_feed_Controller extends FreshRSS_ActionController {
 
 		$this->_csp([
 			'default-src' => "'self'",
+			'frame-ancestors' => "'self'",
 			'frame-src' => '*',
 			'img-src' => '* data:',
 			'media-src' => '*',
diff --git a/app/Controllers/indexController.php b/app/Controllers/indexController.php
index 1f49e03ee..661e8300b 100644
--- a/app/Controllers/indexController.php
+++ b/app/Controllers/indexController.php
@@ -50,6 +50,7 @@ class FreshRSS_index_Controller extends FreshRSS_ActionController {
 			'default-src' => "'self'",
 			'frame-src' => '*',
 			'img-src' => '* data:',
+			'frame-ancestors' => "'none'",
 			'media-src' => '*',
 		]);
 
@@ -138,6 +139,7 @@ class FreshRSS_index_Controller extends FreshRSS_ActionController {
 			'default-src' => "'self'",
 			'frame-src' => '*',
 			'img-src' => '* data:',
+			'frame-ancestors' => "'none'",
 			'media-src' => '*',
 		]);
 	}
diff --git a/app/Controllers/statsController.php b/app/Controllers/statsController.php
index 7a7180176..8759eae9d 100644
--- a/app/Controllers/statsController.php
+++ b/app/Controllers/statsController.php
@@ -29,6 +29,7 @@ class FreshRSS_stats_Controller extends FreshRSS_ActionController {
 
 		$this->_csp([
 			'default-src' => "'self'",
+			'frame-ancestors' => "'none'",
 			'img-src' => '* data:',
 			'style-src' => "'self' 'unsafe-inline'",
 		]);
diff --git a/app/install.php b/app/install.php
index 3d835d1f1..0e408db52 100644
--- a/app/install.php
+++ b/app/install.php
@@ -4,7 +4,7 @@ declare(strict_types=1);
 if (function_exists('opcache_reset')) {
 	opcache_reset();
 }
-header("Content-Security-Policy: default-src 'self'");
+header("Content-Security-Policy: default-src 'self'; frame-ancestors 'none'");
 header('Referrer-Policy: same-origin');
 
 require(LIB_PATH . '/lib_install.php');
diff --git a/lib/Minz/ActionController.php b/lib/Minz/ActionController.php
index 350b3a9bb..80ce8386f 100644
--- a/lib/Minz/ActionController.php
+++ b/lib/Minz/ActionController.php
@@ -14,6 +14,7 @@ abstract class Minz_ActionController {
 	/** @var array<string,string> */
 	private static array $csp_default = [
 		'default-src' => "'self'",
+		'frame-ancestors' => "'none'",
 	];
 
 	/** @var array<string,string> */
@@ -66,7 +67,7 @@ abstract class Minz_ActionController {
 	 * @param array<string,string> $policies An array where keys are directives and values are sources.
 	 */
 	public static function _defaultCsp(array $policies): void {
-		if (!isset($policies['default-src'])) {
+		if (!isset($policies['default-src']) || !isset($policies['frame-ancestors'])) {
 			Minz_Log::warning('Default CSP policy is not declared', ADMIN_LOG);
 		}
 		self::$csp_default = $policies;
diff --git a/lib/lib_rss.php b/lib/lib_rss.php
index f76ac49e9..b8c6bc3cd 100644
--- a/lib/lib_rss.php
+++ b/lib/lib_rss.php
@@ -1010,7 +1010,7 @@ function errorMessageInfo(string $errorTitle, string $error = ''): string {
 		$details = "<pre>{$details}</pre>";
 	}
 
-	header("Content-Security-Policy: default-src 'self'");
+	header("Content-Security-Policy: default-src 'self'; frame-ancestors 'none'");
 	header('Referrer-Policy: same-origin');
 
 	return <<<MSG
diff --git a/p/f.php b/p/f.php
index 14ded4bca..eafb92710 100644
--- a/p/f.php
+++ b/p/f.php
@@ -48,7 +48,7 @@ if ($ico_mtime == false || $ico_mtime < $txt_mtime || ($ico_mtime < time() - (mt
 	}
 }
 
-header("Content-Security-Policy: default-src 'none'; img-src 'self'; style-src 'self';");
+header("Content-Security-Policy: default-src 'none'; frame-ancestors 'none'; img-src 'self'; style-src 'self';");
 if (!httpConditional($ico_mtime, mt_rand(14, 21) * 86400, 2)) {
 	$ico_content_type = contentType($ico);
 	header('Content-Type: ' . $ico_content_type);
diff --git a/p/themes/.htaccess b/p/themes/.htaccess
index b38c085e8..c095eee60 100644
--- a/p/themes/.htaccess
+++ b/p/themes/.htaccess
@@ -26,6 +26,6 @@
 
 <IfModule mod_headers.c>
 	<FilesMatch "\.svg$">
-		Header	set Content-Security-Policy "default-src 'self'; style-src 'self' 'unsafe-inline'"
+		Header	set Content-Security-Policy "default-src 'self'; frame-ancestors 'none'; style-src 'self' 'unsafe-inline'"
 	</FilesMatch>
 </IfModule>
author	Inverle <inverle@proton.me>	2025-06-18 22:20:17 +0200
committer	GitHub <noreply@github.com>	2025-06-18 22:20:17 +0200
commit	a6948218fb1c66fe146c7651555e5a1f791c8112 (patch)
tree	a878349b1d2808d2ed7318aa34df0546e534690e
parent	aa45bcbe5a0a723c4b6adfb50139be0be6336d2b (diff)