aboutsummaryrefslogtreecommitdiff
path: root/p
diff options
context:
space:
mode:
Diffstat (limited to 'p')
-rw-r--r--p/api/index.php20
-rw-r--r--p/api/query.php12
-rw-r--r--p/ext.php3
-rw-r--r--p/f.php13
4 files changed, 30 insertions, 18 deletions
diff --git a/p/api/index.php b/p/api/index.php
index 279826aa5..03db02188 100644
--- a/p/api/index.php
+++ b/p/api/index.php
@@ -1,12 +1,18 @@
<?php
- declare(strict_types=1);
- require dirname(__DIR__, 2) . '/constants.php';
- require LIB_PATH . '/lib_rss.php'; //Includes class autoloader
- header("Content-Security-Policy: default-src 'self'; frame-ancestors 'none'");
- header('X-Content-Type-Options: nosniff');
+declare(strict_types=1);
+require dirname(__DIR__, 2) . '/constants.php';
+require LIB_PATH . '/lib_rss.php'; //Includes class autoloader
- FreshRSS_Context::initSystem();
- Minz_Translate::init(Minz_Translate::getLanguage(null, Minz_Request::getPreferredLanguages(), null));
+FreshRSS_Context::initSystem();
+if (!FreshRSS_Context::hasSystemConf()) {
+ header('HTTP/1.1 500 Internal Server Error');
+ die('Invalid system init!');
+}
+$frameAncestors = FreshRSS_Context::systemConf()->attributeString('csp.frame-ancestors') ?? "'none'";
+header("Content-Security-Policy: default-src 'self'; frame-ancestors $frameAncestors");
+header('X-Content-Type-Options: nosniff');
+
+Minz_Translate::init(Minz_Translate::getLanguage(null, Minz_Request::getPreferredLanguages(), null));
?>
<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-GB" lang="en-GB">
diff --git a/p/api/query.php b/p/api/query.php
index 8aedd8ecf..4618f3e1b 100644
--- a/p/api/query.php
+++ b/p/api/query.php
@@ -176,12 +176,14 @@ if (($_SERVER['REQUEST_METHOD'] ?? '') === 'OPTIONS') {
if (in_array($format, ['rss', 'atom'], true)) {
header('Content-Type: application/rss+xml; charset=utf-8');
- header("Content-Security-Policy: default-src 'none'; frame-ancestors 'none'; sandbox");
+ header("Content-Security-Policy: default-src 'none'; sandbox; frame-ancestors " .
+ (FreshRSS_Context::systemConf()->attributeString('csp.frame-ancestors') ?? "'none'"));
$view->_layout(null);
$view->_path('index/rss.phtml');
} elseif (in_array($format, ['greader', 'json'], true)) {
header('Content-Type: application/json; charset=utf-8');
- header("Content-Security-Policy: default-src 'none'; frame-ancestors 'none'; sandbox");
+ header("Content-Security-Policy: default-src 'none'; sandbox; frame-ancestors " .
+ (FreshRSS_Context::systemConf()->attributeString('csp.frame-ancestors') ?? "'none'"));
$view->_layout(null);
$view->type = 'query/' . $token;
$view->list_title = $query->getName();
@@ -193,11 +195,13 @@ if (in_array($format, ['rss', 'atom'], true)) {
die();
}
header('Content-Type: application/xml; charset=utf-8');
- header("Content-Security-Policy: default-src 'none'; frame-ancestors 'none'; sandbox");
+ header("Content-Security-Policy: default-src 'none'; sandbox; frame-ancestors " .
+ (FreshRSS_Context::systemConf()->attributeString('csp.frame-ancestors') ?? "'none'"));
$view->_layout(null);
$view->_path('index/opml.phtml');
} else {
- header("Content-Security-Policy: default-src 'self'; frame-src *; img-src * data:; frame-ancestors 'none'; media-src *");
+ header("Content-Security-Policy: default-src 'self'; frame-src *; img-src * data:; media-src *; frame-ancestors " .
+ (FreshRSS_Context::systemConf()->attributeString('csp.frame-ancestors') ?? "'none'"));
$view->_layout('layout');
$view->_path('index/html.phtml');
}
diff --git a/p/ext.php b/p/ext.php
index 71922ac01..4ee9eb1ae 100644
--- a/p/ext.php
+++ b/p/ext.php
@@ -94,7 +94,8 @@ if (!is_valid_path($absolute_filename)) {
$content_type = FreshRSS_extension_Controller::MIME_TYPES[$file_type];
header("Content-Type: {$content_type}");
header("Content-Disposition: inline; filename='{$file_name}'");
-header("Content-Security-Policy: default-src 'self'; frame-ancestors 'none'");
+header("Content-Security-Policy: default-src 'self'; frame-ancestors " .
+ (FreshRSS_Context::systemConf()->attributeString('csp.frame-ancestors') ?? "'none'"));
header('X-Content-Type-Options: nosniff');
header('Referrer-Policy: same-origin');
diff --git a/p/f.php b/p/f.php
index 5b7b7474b..604081dd0 100644
--- a/p/f.php
+++ b/p/f.php
@@ -5,7 +5,13 @@ require LIB_PATH . '/lib_rss.php'; //Includes class autoloader
require LIB_PATH . '/favicons.php';
require LIB_PATH . '/http-conditional.php';
-header("Content-Security-Policy: default-src 'none'; frame-ancestors 'none'; sandbox");
+FreshRSS_Context::initSystem();
+if (!FreshRSS_Context::hasSystemConf()) {
+ header('HTTP/1.1 500 Internal Server Error');
+ die('Invalid system init!');
+}
+$frameAncestors = FreshRSS_Context::systemConf()->attributeString('csp.frame-ancestors') ?? "'none'";
+header("Content-Security-Policy: default-src 'none'; frame-ancestors $frameAncestors; sandbox");
header('X-Content-Type-Options: nosniff');
$no_cache = file_exists(DATA_PATH . '/no-cache.txt');
@@ -46,11 +52,6 @@ if (($ico_mtime == false || $ico_mtime < $txt_mtime || ($ico_mtime < time() - (m
exit();
}
- FreshRSS_Context::initSystem();
- if (!FreshRSS_Context::hasSystemConf()) {
- header('HTTP/1.1 500 Internal Server Error');
- die('Invalid system init!');
- }
if (!download_favicon($url, $ico)) {
// Download failed
if ($ico_mtime == false) {
generated by cgit v1.2.3 (git 2.39.1) at 2026-02-10 12:03:08 +0000