From bc3e4c8fa4bae9591166e12caa3fb6bf73893102 Mon Sep 17 00:00:00 2001
From: Alexandre Alapetite <alexandre@alapetite.fr>
Date: Sun, 21 Sep 2025 13:29:58 +0200
Subject: Add option for CSP frame-ancestors (#7857)

* Add option for CSP frame-ancestors
https://github.com/FreshRSS/FreshRSS/discussions/7856

* Revert contentSelectorPreviewAction

* Same for f.php and api

* Fix double init in f.php

* No sandbox for API page
---
 lib/lib_rss.php | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'lib')

diff --git a/lib/lib_rss.php b/lib/lib_rss.php
index 532a9902a..0e916616d 100644
--- a/lib/lib_rss.php
+++ b/lib/lib_rss.php
@@ -1100,7 +1100,8 @@ function errorMessageInfo(string $errorTitle, string $error = ''): string {
 		$details = "<pre>{$details}</pre>";
 	}
 
-	header("Content-Security-Policy: default-src 'self'; frame-ancestors 'none'");
+	header("Content-Security-Policy: default-src 'self'; frame-ancestors " .
+		(FreshRSS_Context::systemConf()->attributeString('csp.frame-ancestors') ?? "'none'"));
 	header('Referrer-Policy: same-origin');
 
 	return <<<MSG
-- 
cgit v1.2.3