Put CSP everywhere (#7810)

* Puts CSP everywhere in `p/api` * including the HTML query page ❗ * Also in `p/ext.php` * Puts `X-Content-Type-Options: nosniff` everywhere * Fixes custom icon configuration not showing `blob:` icon in statsController (idle feeds) * Also removes `style-src 'unsafe-inline'` since it doesn't seem to be needed * Improves CSP of `p/f.php` * Add `sandbox` directive
author: Inverle <inverle@proton.me> 2025-08-11 19:35:54 +0200
committer: GitHub <noreply@github.com> 2025-08-11 19:35:54 +0200
commit: 7df6c201f2e6a6521d20718dfd8d9794c7437d1f (patch)
tree: fbd88eb2c462808b16e9ee476b3c619e3b2bb20c /p/ext.php
parent: 2b1b268fc27268197b8c86ed839bf22daab79438 (diff)
1 files changed, 2 insertions, 0 deletions
diff --git a/p/ext.php b/p/ext.php
index f470b7210..5fdd3df6c 100644
--- a/p/ext.php
+++ b/p/ext.php
@@ -94,6 +94,8 @@ if (!is_valid_path($absolute_filename)) {
 $content_type = FreshRSS_extension_Controller::MIME_TYPES[$file_type];
 header("Content-Type: {$content_type}");
 header("Content-Disposition: inline; filename='{$file_name}'");
+header("Content-Security-Policy: default-src 'self'; frame-ancestors 'none'");
+header('X-Content-Type-Options: nosniff');
 header('Referrer-Policy: same-origin');
 
 $mtime = @filemtime($absolute_filename);
author	Inverle <inverle@proton.me>	2025-08-11 19:35:54 +0200
committer	GitHub <noreply@github.com>	2025-08-11 19:35:54 +0200
commit	7df6c201f2e6a6521d20718dfd8d9794c7437d1f (patch)
tree	fbd88eb2c462808b16e9ee476b3c619e3b2bb20c /p/ext.php
parent	2b1b268fc27268197b8c86ed839bf22daab79438 (diff)