Put CSP everywhere (#7810)

* Puts CSP everywhere in `p/api` * including the HTML query page ❗ * Also in `p/ext.php` * Puts `X-Content-Type-Options: nosniff` everywhere * Fixes custom icon configuration not showing `blob:` icon in statsController (idle feeds) * Also removes `style-src 'unsafe-inline'` since it doesn't seem to be needed * Improves CSP of `p/f.php` * Add `sandbox` directive
author: Inverle <inverle@proton.me> 2025-08-11 19:35:54 +0200
committer: GitHub <noreply@github.com> 2025-08-11 19:35:54 +0200
commit: 7df6c201f2e6a6521d20718dfd8d9794c7437d1f (patch)
tree: fbd88eb2c462808b16e9ee476b3c619e3b2bb20c /p/f.php
parent: 2b1b268fc27268197b8c86ed839bf22daab79438 (diff)
1 files changed, 3 insertions, 1 deletions
diff --git a/p/f.php b/p/f.php
index fdec38c02..fc9a60abd 100644
--- a/p/f.php
+++ b/p/f.php
@@ -5,6 +5,9 @@ require(LIB_PATH . '/lib_rss.php');	//Includes class autoloader
 require(LIB_PATH . '/favicons.php');
 require(LIB_PATH . '/http-conditional.php');
 
+header("Content-Security-Policy: default-src 'none'; frame-ancestors 'none'; sandbox");
+header('X-Content-Type-Options: nosniff');
+
 function show_default_favicon(int $cacheSeconds = 3600): void {
 	$default_mtime = @filemtime(DEFAULT_FAVICON) ?: 0;
 	if (!httpConditional($default_mtime, $cacheSeconds, 2)) {
@@ -56,7 +59,6 @@ if (($ico_mtime == false || $ico_mtime < $txt_mtime || ($ico_mtime < time() - (m
 	}
 }
 
-header("Content-Security-Policy: default-src 'none'; frame-ancestors 'none'; img-src 'self'; style-src 'self';");
 if (!httpConditional($ico_mtime, mt_rand(14, 21) * 86400, 2)) {
 	$ico_content_type = contentType($ico);
 	header('Content-Type: ' . $ico_content_type);
author	Inverle <inverle@proton.me>	2025-08-11 19:35:54 +0200
committer	GitHub <noreply@github.com>	2025-08-11 19:35:54 +0200
commit	7df6c201f2e6a6521d20718dfd8d9794c7437d1f (patch)
tree	fbd88eb2c462808b16e9ee476b3c619e3b2bb20c /p/f.php
parent	2b1b268fc27268197b8c86ed839bf22daab79438 (diff)