aboutsummaryrefslogtreecommitdiff
path: root/lib/Minz/ActionController.php
diff options
context:
space:
mode:
Diffstat (limited to 'lib/Minz/ActionController.php')
-rw-r--r--lib/Minz/ActionController.php9
1 files changed, 5 insertions, 4 deletions
diff --git a/lib/Minz/ActionController.php b/lib/Minz/ActionController.php
index 80ce8386f..9549a146f 100644
--- a/lib/Minz/ActionController.php
+++ b/lib/Minz/ActionController.php
@@ -76,16 +76,17 @@ abstract class Minz_ActionController {
/**
* Set CSP policies.
*
- * A default-src directive should always be given.
+ * default-src and frame-ancestors directives should always be given.
*
* References:
- * - https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
- * - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/default-src
+ * - https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/CSP
+ * - https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Content-Security-Policy/default-src
+ * - https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Content-Security-Policy/frame-ancestors
*
* @param array<string,string> $policies An array where keys are directives and values are sources.
*/
protected function _csp(array $policies): void {
- if (!isset($policies['default-src'])) {
+ if (!isset($policies['default-src']) || !isset($policies['frame-ancestors'])) {
$action = Minz_Request::controllerName() . '#' . Minz_Request::actionName();
Minz_Log::warning(
"Default CSP policy is not declared for action {$action}.",
generated by cgit v1.2.3 (git 2.39.1) at 2026-02-10 12:05:24 +0000