Add option for CSP frame-ancestors (#7857)

* Add option for CSP frame-ancestors https://github.com/FreshRSS/FreshRSS/discussions/7856 * Revert contentSelectorPreviewAction * Same for f.php and api * Fix double init in f.php * No sandbox for API page
author: Alexandre Alapetite <alexandre@alapetite.fr> 2025-09-21 13:29:58 +0200
committer: GitHub <noreply@github.com> 2025-09-21 13:29:58 +0200
commit: bc3e4c8fa4bae9591166e12caa3fb6bf73893102 (patch)
tree: ee38afd776e08461ba22bdbc10fe4c17d5bff172 /p/ext.php
parent: f1cf57b5b713527b4521c4552b5f1ac023ee3adc (diff)
1 files changed, 2 insertions, 1 deletions
diff --git a/p/ext.php b/p/ext.php
index 71922ac01..4ee9eb1ae 100644
--- a/p/ext.php
+++ b/p/ext.php
@@ -94,7 +94,8 @@ if (!is_valid_path($absolute_filename)) {
 $content_type = FreshRSS_extension_Controller::MIME_TYPES[$file_type];
 header("Content-Type: {$content_type}");
 header("Content-Disposition: inline; filename='{$file_name}'");
-header("Content-Security-Policy: default-src 'self'; frame-ancestors 'none'");
+header("Content-Security-Policy: default-src 'self'; frame-ancestors " .
+	(FreshRSS_Context::systemConf()->attributeString('csp.frame-ancestors') ?? "'none'"));
 header('X-Content-Type-Options: nosniff');
 header('Referrer-Policy: same-origin');
author	Alexandre Alapetite <alexandre@alapetite.fr>	2025-09-21 13:29:58 +0200
committer	GitHub <noreply@github.com>	2025-09-21 13:29:58 +0200
commit	bc3e4c8fa4bae9591166e12caa3fb6bf73893102 (patch)
tree	ee38afd776e08461ba22bdbc10fe4c17d5bff172 /p/ext.php
parent	f1cf57b5b713527b4521c4552b5f1ac023ee3adc (diff)