From 7df6c201f2e6a6521d20718dfd8d9794c7437d1f Mon Sep 17 00:00:00 2001
From: Inverle <inverle@proton.me>
Date: Mon, 11 Aug 2025 19:35:54 +0200
Subject: Put CSP everywhere (#7810)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* Puts CSP everywhere in `p/api`
   * including the HTML query page ❗
   * Also in `p/ext.php`
* Puts `X-Content-Type-Options: nosniff` everywhere
* Fixes custom icon configuration not showing `blob:` icon in statsController (idle feeds)
   * Also removes `style-src 'unsafe-inline'` since it doesn't seem to be needed
* Improves CSP of `p/f.php`

* Add `sandbox` directive
---
 p/api/greader.php | 3 +++
 1 file changed, 3 insertions(+)

(limited to 'p/api/greader.php')

diff --git a/p/api/greader.php b/p/api/greader.php
index 311f17a7c..40fb5dc72 100644
--- a/p/api/greader.php
+++ b/p/api/greader.php
@@ -28,6 +28,9 @@ Server-side API compatible with Google Reader API layer 2
 require(__DIR__ . '/../../constants.php');
 require(LIB_PATH . '/lib_rss.php');	//Includes class autoloader
 
+header("Content-Security-Policy: default-src 'none'; frame-ancestors 'none'; sandbox");
+header('X-Content-Type-Options: nosniff');
+
 if (PHP_INT_SIZE < 8) {	//32-bit
 	/** @return numeric-string */
 	function hex2dec(string $hex): string {
-- 
cgit v1.2.3