aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--CHANGELOG.md2
-rw-r--r--app/FreshRSS.php2
2 files changed, 2 insertions, 2 deletions
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 096c930d1..43823b536 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -3,7 +3,7 @@
## 2016-03-xx FreshRSS 1.3.1-beta
* Security
- * Added CSP `Content-Security-Policy: default-src 'self'; child-src *; img-src * data:; media-src *` [#1075](https://github.com/FreshRSS/FreshRSS/pull/1075)
+ * Added CSP `Content-Security-Policy: default-src 'self'; child-src *; frame-src *; img-src * data:; media-src *` [#1075](https://github.com/FreshRSS/FreshRSS/pull/1075)
* Features
* New list of domains for which to force HTTPS (for images, videos, iframes…) defined in `./data/force-https.default.txt` and `./data/force-https.txt` [#1083](https://github.com/FreshRSS/FreshRSS/issues/1083)
* In particular useful for privacy and to avoid mixed content errors, e.g. to see YouTube videos when FreshRSS is in HTTPS
diff --git a/app/FreshRSS.php b/app/FreshRSS.php
index bfbd7a6eb..d6f4f4062 100644
--- a/app/FreshRSS.php
+++ b/app/FreshRSS.php
@@ -113,7 +113,7 @@ class FreshRSS extends Minz_FrontController {
public static function preLayout() {
switch (Minz_Request::controllerName()) {
case 'index':
- header("Content-Security-Policy: default-src 'self'; child-src *; img-src * data:; media-src *");
+ header("Content-Security-Policy: default-src 'self'; child-src *; frame-src *; img-src * data:; media-src *");
break;
case 'stats':
header("Content-Security-Policy: default-src 'self'; style-src 'self' 'unsafe-inline'");
generated by cgit v1.2.3 (git 2.39.1) at 2026-03-22 18:56:24 +0000