From a6948218fb1c66fe146c7651555e5a1f791c8112 Mon Sep 17 00:00:00 2001 From: Inverle Date: Wed, 18 Jun 2025 22:20:17 +0200 Subject: frame-ancestors CSP (#7677) --- lib/Minz/ActionController.php | 3 ++- lib/lib_rss.php | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) (limited to 'lib') diff --git a/lib/Minz/ActionController.php b/lib/Minz/ActionController.php index 350b3a9bb..80ce8386f 100644 --- a/lib/Minz/ActionController.php +++ b/lib/Minz/ActionController.php @@ -14,6 +14,7 @@ abstract class Minz_ActionController { /** @var array */ private static array $csp_default = [ 'default-src' => "'self'", + 'frame-ancestors' => "'none'", ]; /** @var array */ @@ -66,7 +67,7 @@ abstract class Minz_ActionController { * @param array $policies An array where keys are directives and values are sources. */ public static function _defaultCsp(array $policies): void { - if (!isset($policies['default-src'])) { + if (!isset($policies['default-src']) || !isset($policies['frame-ancestors'])) { Minz_Log::warning('Default CSP policy is not declared', ADMIN_LOG); } self::$csp_default = $policies; diff --git a/lib/lib_rss.php b/lib/lib_rss.php index f76ac49e9..b8c6bc3cd 100644 --- a/lib/lib_rss.php +++ b/lib/lib_rss.php @@ -1010,7 +1010,7 @@ function errorMessageInfo(string $errorTitle, string $error = ''): string { $details = "
{$details}
"; } - header("Content-Security-Policy: default-src 'self'"); + header("Content-Security-Policy: default-src 'self'; frame-ancestors 'none'"); header('Referrer-Policy: same-origin'); return <<