Change `Content-Disposition: inline` to `attachment` in `f.php` (#8344) - FreshRSS (Customized) - Customized version of FreshRSS, a self-hosted RSS feed aggregator

diff options

author	Inverle <inverle@proton.me>	2025-12-24 21:35:34 +0100
committer	GitHub <noreply@github.com>	2025-12-24 21:35:34 +0100
commit	7e5d2d07272d89044eb80821c5feefbd133ad7f7 (patch)
tree	4346f6ee8313c9d3d40c08dcf9011b746e421842 /app/Models/EntryDAOSQLite.php
parent	3b7ce27be4265bbc7cc8977b6456c04953c0ffa7 (diff)

Change `Content-Disposition: inline` to `attachment` in `f.php` (#8344)

Some [misconfigured instances](https://github.com/FreshRSS/FreshRSS/issues/7835) may be stripping out the CSP header that `f.php` sends, which can be mitigated by forcing the browser to download the image instead of displaying it and executing JS code from unsanitized SVGs for example. Contributes to https://github.com/FreshRSS/FreshRSS/pull/8263 and https://github.com/FreshRSS/FreshRSS/pull/7924 (improving security when CSP is not present)

Diffstat (limited to 'app/Models/EntryDAOSQLite.php')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: