Add option for CSP frame-ancestors (#7857)

* Add option for CSP frame-ancestors
https://github.com/FreshRSS/FreshRSS/discussions/7856

* Revert contentSelectorPreviewAction

* Same for f.php and api

* Fix double init in f.php

* No sandbox for API page

1 files changed, 7 insertions, 6 deletions

diff --git a/p/f.php b/p/f.php
index 5b7b7474b..604081dd0 100644
--- a/p/f.php
+++ b/p/f.php
@@ -5,7 +5,13 @@ require LIB_PATH . '/lib_rss.php';	//Includes class autoloader
 require LIB_PATH . '/favicons.php';
 require LIB_PATH . '/http-conditional.php';
 
-header("Content-Security-Policy: default-src 'none'; frame-ancestors 'none'; sandbox");
+FreshRSS_Context::initSystem();
+if (!FreshRSS_Context::hasSystemConf()) {
+	header('HTTP/1.1 500 Internal Server Error');
+	die('Invalid system init!');
+}
+$frameAncestors = FreshRSS_Context::systemConf()->attributeString('csp.frame-ancestors') ?? "'none'";
+header("Content-Security-Policy: default-src 'none'; frame-ancestors $frameAncestors; sandbox");
 header('X-Content-Type-Options: nosniff');
 
 $no_cache = file_exists(DATA_PATH . '/no-cache.txt');
@@ -46,11 +52,6 @@ if (($ico_mtime == false || $ico_mtime < $txt_mtime || ($ico_mtime < time() - (m
 		exit();
 	}
 
-	FreshRSS_Context::initSystem();
-	if (!FreshRSS_Context::hasSystemConf()) {
-		header('HTTP/1.1 500 Internal Server Error');
-		die('Invalid system init!');
-	}
 	if (!download_favicon($url, $ico)) {
 		// Download failed
 		if ($ico_mtime == false) {