From 2b85a50ed72982ab0c0f9ef98c7ed1e15f21bf5f Mon Sep 17 00:00:00 2001
From: Inverle <inverle@proton.me>
Date: Sat, 9 Aug 2025 21:47:39 +0200
Subject: Show warning when unsafe CSP policy is in use (#7804)

* Show warning when unsafe CSP policy is in use

* Fix bare markdown URL

* i18n: fr

* Minor i18n: fr

* Add target="_blank" to i18n strings

---------

Co-authored-by: Alexandre Alapetite <alexandre@alapetite.fr>
---
 lib/Minz/ActionController.php | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

(limited to 'lib')

diff --git a/lib/Minz/ActionController.php b/lib/Minz/ActionController.php
index 80ce8386f..9549a146f 100644
--- a/lib/Minz/ActionController.php
+++ b/lib/Minz/ActionController.php
@@ -76,16 +76,17 @@ abstract class Minz_ActionController {
 	/**
 	 * Set CSP policies.
 	 *
-	 * A default-src directive should always be given.
+	 * default-src and frame-ancestors directives should always be given.
 	 *
 	 * References:
-	 * - https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
-	 * - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/default-src
+	 * - https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/CSP
+	 * - https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Content-Security-Policy/default-src
+	 * - https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Content-Security-Policy/frame-ancestors
 	 *
 	 * @param array<string,string> $policies An array where keys are directives and values are sources.
 	 */
 	protected function _csp(array $policies): void {
-		if (!isset($policies['default-src'])) {
+		if (!isset($policies['default-src']) || !isset($policies['frame-ancestors'])) {
 			$action = Minz_Request::controllerName() . '#' . Minz_Request::actionName();
 			Minz_Log::warning(
 				"Default CSP policy is not declared for action {$action}.",
-- 
cgit v1.2.3