frame-ancestors CSP (#7677)

author: Inverle <inverle@proton.me> 2025-06-18 22:20:17 +0200
committer: GitHub <noreply@github.com> 2025-06-18 22:20:17 +0200
commit: a6948218fb1c66fe146c7651555e5a1f791c8112 (patch)
tree: a878349b1d2808d2ed7318aa34df0546e534690e /lib/Minz
parent: aa45bcbe5a0a723c4b6adfb50139be0be6336d2b (diff)
1 files changed, 2 insertions, 1 deletions
diff --git a/lib/Minz/ActionController.php b/lib/Minz/ActionController.php
index 350b3a9bb..80ce8386f 100644
--- a/lib/Minz/ActionController.php
+++ b/lib/Minz/ActionController.php
@@ -14,6 +14,7 @@ abstract class Minz_ActionController {
 	/** @var array<string,string> */
 	private static array $csp_default = [
 		'default-src' => "'self'",
+		'frame-ancestors' => "'none'",
 	];
 
 	/** @var array<string,string> */
@@ -66,7 +67,7 @@ abstract class Minz_ActionController {
 	 * @param array<string,string> $policies An array where keys are directives and values are sources.
 	 */
 	public static function _defaultCsp(array $policies): void {
-		if (!isset($policies['default-src'])) {
+		if (!isset($policies['default-src']) || !isset($policies['frame-ancestors'])) {
 			Minz_Log::warning('Default CSP policy is not declared', ADMIN_LOG);
 		}
 		self::$csp_default = $policies;
author	Inverle <inverle@proton.me>	2025-06-18 22:20:17 +0200
committer	GitHub <noreply@github.com>	2025-06-18 22:20:17 +0200
commit	a6948218fb1c66fe146c7651555e5a1f791c8112 (patch)
tree	a878349b1d2808d2ed7318aa34df0546e534690e /lib/Minz
parent	aa45bcbe5a0a723c4b6adfb50139be0be6336d2b (diff)