From 7df6c201f2e6a6521d20718dfd8d9794c7437d1f Mon Sep 17 00:00:00 2001 From: Inverle Date: Mon, 11 Aug 2025 19:35:54 +0200 Subject: Put CSP everywhere (#7810) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Puts CSP everywhere in `p/api` * including the HTML query page ❗ * Also in `p/ext.php` * Puts `X-Content-Type-Options: nosniff` everywhere * Fixes custom icon configuration not showing `blob:` icon in statsController (idle feeds) * Also removes `style-src 'unsafe-inline'` since it doesn't seem to be needed * Improves CSP of `p/f.php` * Add `sandbox` directive --- p/api/query.php | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'p/api/query.php') diff --git a/p/api/query.php b/p/api/query.php index 5deedc932..f7458e823 100644 --- a/p/api/query.php +++ b/p/api/query.php @@ -1,5 +1,8 @@ _layout(null); $view->_path('index/rss.phtml'); } elseif (in_array($format, ['greader', 'json'], true)) { header('Content-Type: application/json; charset=utf-8'); + header("Content-Security-Policy: default-src 'none'; frame-ancestors 'none'; sandbox"); $view->_layout(null); $view->type = 'query/' . $token; $view->list_title = $query->getName(); @@ -190,9 +195,11 @@ if (in_array($format, ['rss', 'atom'], true)) { die(); } header('Content-Type: application/xml; charset=utf-8'); + header("Content-Security-Policy: default-src 'none'; frame-ancestors 'none'; sandbox"); $view->_layout(null); $view->_path('index/opml.phtml'); } else { + header("Content-Security-Policy: default-src 'self'; frame-src *; img-src * data:; frame-ancestors 'none'; media-src *"); $view->_layout('layout'); $view->_path('index/html.phtml'); } -- cgit v1.2.3