frame-ancestors CSP (#7677)

2 files changed, 3 insertions, 2 deletions

diff --git a/lib/Minz/ActionController.php b/lib/Minz/ActionController.php
index 350b3a9bb..80ce8386f 100644
--- a/lib/Minz/ActionController.php
+++ b/lib/Minz/ActionController.php
@@ -14,6 +14,7 @@ abstract class Minz_ActionController {
 	/** @var array<string,string> */
 	private static array $csp_default = [
 		'default-src' => "'self'",
+		'frame-ancestors' => "'none'",
 	];
 
 	/** @var array<string,string> */
@@ -66,7 +67,7 @@ abstract class Minz_ActionController {
 	 * @param array<string,string> $policies An array where keys are directives and values are sources.
 	 */
 	public static function _defaultCsp(array $policies): void {
-		if (!isset($policies['default-src'])) {
+		if (!isset($policies['default-src']) || !isset($policies['frame-ancestors'])) {
 			Minz_Log::warning('Default CSP policy is not declared', ADMIN_LOG);
 		}
 		self::$csp_default = $policies;
diff --git a/lib/lib_rss.php b/lib/lib_rss.php
index f76ac49e9..b8c6bc3cd 100644
--- a/lib/lib_rss.php
+++ b/lib/lib_rss.php
@@ -1010,7 +1010,7 @@ function errorMessageInfo(string $errorTitle, string $error = ''): string {
 		$details = "<pre>{$details}</pre>";
 	}
 
-	header("Content-Security-Policy: default-src 'self'");
+	header("Content-Security-Policy: default-src 'self'; frame-ancestors 'none'");
 	header('Referrer-Policy: same-origin');
 
 	return <<<MSG