diff options
| author |  Inverle <inverle@proton.me>
| 2025-12-24 21:35:34 +0100 |
|---|---|---|
| committer |  GitHub <noreply@github.com>
| 2025-12-24 21:35:34 +0100 |
| commit | 7e5d2d07272d89044eb80821c5feefbd133ad7f7 (patch) | |
| tree | 4346f6ee8313c9d3d40c08dcf9011b746e421842 /p | |
| parent | 3b7ce27be4265bbc7cc8977b6456c04953c0ffa7 (diff) | |
Change `Content-Disposition: inline` to `attachment` in `f.php` (#8344)
Some [misconfigured instances](https://github.com/FreshRSS/FreshRSS/issues/7835) may be stripping out the CSP header that `f.php` sends, which can be mitigated by forcing the browser to download the image instead of displaying it and executing JS code from unsanitized SVGs for example.
Contributes to https://github.com/FreshRSS/FreshRSS/pull/8263 and https://github.com/FreshRSS/FreshRSS/pull/7924
(improving security when CSP is not present)
Diffstat (limited to 'p')
| -rw-r--r-- | p/f.php | 4 |
1 files changed, 2 insertions, 2 deletions
@@ -21,7 +21,7 @@ function show_default_favicon(int $cacheSeconds = 3600): void { $default_mtime = @filemtime(DEFAULT_FAVICON) ?: 0; if ($no_cache || !httpConditional($default_mtime, $cacheSeconds, 2)) { header('Content-Type: image/x-icon'); - header('Content-Disposition: inline; filename="default_favicon.ico"'); + header('Content-Disposition: attachment; filename="default_favicon.ico"'); readfile(DEFAULT_FAVICON); } } @@ -66,7 +66,7 @@ if (($ico_mtime == false || $ico_mtime < $txt_mtime || ($ico_mtime < time() - (r if ($no_cache || !httpConditional($ico_mtime, rand(14, 21) * 86400, 2)) { $ico_content_type = contentType($ico); header('Content-Type: ' . $ico_content_type); - header('Content-Disposition: inline; filename="' . $id . '.ico"'); + header('Content-Disposition: attachment; filename="' . $id . '.ico"'); if (!$no_cache && isset($_GET['t'])) { header('Cache-Control: immutable'); } |