diff options
| -rw-r--r-- | app/Controllers/statsController.php | 3 | ||||
| -rw-r--r-- | app/FreshRSS.php | 2 | ||||
| -rw-r--r-- | p/api/fever.php | 2 | ||||
| -rw-r--r-- | p/api/greader.php | 3 | ||||
| -rw-r--r-- | p/api/index.php | 2 | ||||
| -rw-r--r-- | p/api/pshb.php | 1 | ||||
| -rw-r--r-- | p/api/query.php | 7 | ||||
| -rw-r--r-- | p/ext.php | 2 | ||||
| -rw-r--r-- | p/f.php | 4 |
9 files changed, 22 insertions, 4 deletions
diff --git a/app/Controllers/statsController.php b/app/Controllers/statsController.php index 67b1f80e9..5a7e9b79a 100644 --- a/app/Controllers/statsController.php +++ b/app/Controllers/statsController.php @@ -30,8 +30,7 @@ class FreshRSS_stats_Controller extends FreshRSS_ActionController { $this->_csp([ 'default-src' => "'self'", 'frame-ancestors' => "'none'", - 'img-src' => '* data:', - 'style-src' => "'self' 'unsafe-inline'", + 'img-src' => '* data: blob:', ]); $catDAO = FreshRSS_Factory::createCategoryDao(); diff --git a/app/FreshRSS.php b/app/FreshRSS.php index bff9f1b18..62e91ff95 100644 --- a/app/FreshRSS.php +++ b/app/FreshRSS.php @@ -149,7 +149,7 @@ class FreshRSS extends Minz_FrontController { } public static function preLayout(): void { - header("X-Content-Type-Options: nosniff"); + header('X-Content-Type-Options: nosniff'); FreshRSS_Share::load(join_path(APP_PATH, 'shares.php')); self::loadStylesAndScripts(); diff --git a/p/api/fever.php b/p/api/fever.php index 6251842e7..92ddb82b8 100644 --- a/p/api/fever.php +++ b/p/api/fever.php @@ -1,5 +1,7 @@ <?php declare(strict_types=1); +header("Content-Security-Policy: default-src 'none'; frame-ancestors 'none'; sandbox"); +header('X-Content-Type-Options: nosniff'); /** * Fever API for FreshRSS diff --git a/p/api/greader.php b/p/api/greader.php index 311f17a7c..40fb5dc72 100644 --- a/p/api/greader.php +++ b/p/api/greader.php @@ -28,6 +28,9 @@ Server-side API compatible with Google Reader API layer 2 require(__DIR__ . '/../../constants.php'); require(LIB_PATH . '/lib_rss.php'); //Includes class autoloader +header("Content-Security-Policy: default-src 'none'; frame-ancestors 'none'; sandbox"); +header('X-Content-Type-Options: nosniff'); + if (PHP_INT_SIZE < 8) { //32-bit /** @return numeric-string */ function hex2dec(string $hex): string { diff --git a/p/api/index.php b/p/api/index.php index fd9828080..def8d4890 100644 --- a/p/api/index.php +++ b/p/api/index.php @@ -1,5 +1,7 @@ <?php declare(strict_types=1); + header("Content-Security-Policy: default-src 'self'; frame-ancestors 'none'"); + header('X-Content-Type-Options: nosniff'); ?> <!DOCTYPE html> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-GB" lang="en-GB"> diff --git a/p/api/pshb.php b/p/api/pshb.php index 91dd4e901..b6cbc5089 100644 --- a/p/api/pshb.php +++ b/p/api/pshb.php @@ -6,6 +6,7 @@ require(LIB_PATH . '/lib_rss.php'); //Includes class autoloader const MAX_PAYLOAD = 3_145_728; header('Content-Type: text/plain; charset=UTF-8'); +header("Content-Security-Policy: default-src 'none'; frame-ancestors 'none'; sandbox"); header('X-Content-Type-Options: nosniff'); $ORIGINAL_INPUT = file_get_contents('php://input', false, null, 0, MAX_PAYLOAD) ?: ''; diff --git a/p/api/query.php b/p/api/query.php index 5deedc932..f7458e823 100644 --- a/p/api/query.php +++ b/p/api/query.php @@ -1,5 +1,8 @@ <?php declare(strict_types=1); + +header('X-Content-Type-Options: nosniff'); + require(__DIR__ . '/../../constants.php'); require(LIB_PATH . '/lib_rss.php'); //Includes class autoloader @@ -175,10 +178,12 @@ if (($_SERVER['REQUEST_METHOD'] ?? '') === 'OPTIONS') { if (in_array($format, ['rss', 'atom'], true)) { header('Content-Type: application/rss+xml; charset=utf-8'); + header("Content-Security-Policy: default-src 'none'; frame-ancestors 'none'; sandbox"); $view->_layout(null); $view->_path('index/rss.phtml'); } elseif (in_array($format, ['greader', 'json'], true)) { header('Content-Type: application/json; charset=utf-8'); + header("Content-Security-Policy: default-src 'none'; frame-ancestors 'none'; sandbox"); $view->_layout(null); $view->type = 'query/' . $token; $view->list_title = $query->getName(); @@ -190,9 +195,11 @@ if (in_array($format, ['rss', 'atom'], true)) { die(); } header('Content-Type: application/xml; charset=utf-8'); + header("Content-Security-Policy: default-src 'none'; frame-ancestors 'none'; sandbox"); $view->_layout(null); $view->_path('index/opml.phtml'); } else { + header("Content-Security-Policy: default-src 'self'; frame-src *; img-src * data:; frame-ancestors 'none'; media-src *"); $view->_layout('layout'); $view->_path('index/html.phtml'); } @@ -94,6 +94,8 @@ if (!is_valid_path($absolute_filename)) { $content_type = FreshRSS_extension_Controller::MIME_TYPES[$file_type]; header("Content-Type: {$content_type}"); header("Content-Disposition: inline; filename='{$file_name}'"); +header("Content-Security-Policy: default-src 'self'; frame-ancestors 'none'"); +header('X-Content-Type-Options: nosniff'); header('Referrer-Policy: same-origin'); $mtime = @filemtime($absolute_filename); @@ -5,6 +5,9 @@ require(LIB_PATH . '/lib_rss.php'); //Includes class autoloader require(LIB_PATH . '/favicons.php'); require(LIB_PATH . '/http-conditional.php'); +header("Content-Security-Policy: default-src 'none'; frame-ancestors 'none'; sandbox"); +header('X-Content-Type-Options: nosniff'); + function show_default_favicon(int $cacheSeconds = 3600): void { $default_mtime = @filemtime(DEFAULT_FAVICON) ?: 0; if (!httpConditional($default_mtime, $cacheSeconds, 2)) { @@ -56,7 +59,6 @@ if (($ico_mtime == false || $ico_mtime < $txt_mtime || ($ico_mtime < time() - (m } } -header("Content-Security-Policy: default-src 'none'; frame-ancestors 'none'; img-src 'self'; style-src 'self';"); if (!httpConditional($ico_mtime, mt_rand(14, 21) * 86400, 2)) { $ico_content_type = contentType($ico); header('Content-Type: ' . $ico_content_type); |