diff options
| author |  Alexandre Alapetite <alexandre@alapetite.fr>
| 2025-09-21 13:29:58 +0200 |
|---|---|---|
| committer |  GitHub <noreply@github.com>
| 2025-09-21 13:29:58 +0200 |
| commit | bc3e4c8fa4bae9591166e12caa3fb6bf73893102 (patch) | |
| tree | ee38afd776e08461ba22bdbc10fe4c17d5bff172 /p/api/query.php | |
| parent | f1cf57b5b713527b4521c4552b5f1ac023ee3adc (diff) | |
Add option for CSP frame-ancestors (#7857)
* Add option for CSP frame-ancestors
https://github.com/FreshRSS/FreshRSS/discussions/7856
* Revert contentSelectorPreviewAction
* Same for f.php and api
* Fix double init in f.php
* No sandbox for API page
Diffstat (limited to 'p/api/query.php')
| -rw-r--r-- | p/api/query.php | 12 |
1 files changed, 8 insertions, 4 deletions
diff --git a/p/api/query.php b/p/api/query.php index 8aedd8ecf..4618f3e1b 100644 --- a/p/api/query.php +++ b/p/api/query.php @@ -176,12 +176,14 @@ if (($_SERVER['REQUEST_METHOD'] ?? '') === 'OPTIONS') { if (in_array($format, ['rss', 'atom'], true)) { header('Content-Type: application/rss+xml; charset=utf-8'); - header("Content-Security-Policy: default-src 'none'; frame-ancestors 'none'; sandbox"); + header("Content-Security-Policy: default-src 'none'; sandbox; frame-ancestors " . + (FreshRSS_Context::systemConf()->attributeString('csp.frame-ancestors') ?? "'none'")); $view->_layout(null); $view->_path('index/rss.phtml'); } elseif (in_array($format, ['greader', 'json'], true)) { header('Content-Type: application/json; charset=utf-8'); - header("Content-Security-Policy: default-src 'none'; frame-ancestors 'none'; sandbox"); + header("Content-Security-Policy: default-src 'none'; sandbox; frame-ancestors " . + (FreshRSS_Context::systemConf()->attributeString('csp.frame-ancestors') ?? "'none'")); $view->_layout(null); $view->type = 'query/' . $token; $view->list_title = $query->getName(); @@ -193,11 +195,13 @@ if (in_array($format, ['rss', 'atom'], true)) { die(); } header('Content-Type: application/xml; charset=utf-8'); - header("Content-Security-Policy: default-src 'none'; frame-ancestors 'none'; sandbox"); + header("Content-Security-Policy: default-src 'none'; sandbox; frame-ancestors " . + (FreshRSS_Context::systemConf()->attributeString('csp.frame-ancestors') ?? "'none'")); $view->_layout(null); $view->_path('index/opml.phtml'); } else { - header("Content-Security-Policy: default-src 'self'; frame-src *; img-src * data:; frame-ancestors 'none'; media-src *"); + header("Content-Security-Policy: default-src 'self'; frame-src *; img-src * data:; media-src *; frame-ancestors " . + (FreshRSS_Context::systemConf()->attributeString('csp.frame-ancestors') ?? "'none'")); $view->_layout('layout'); $view->_path('index/html.phtml'); } |