From 7df6c201f2e6a6521d20718dfd8d9794c7437d1f Mon Sep 17 00:00:00 2001
From: Inverle <inverle@proton.me>
Date: Mon, 11 Aug 2025 19:35:54 +0200
Subject: Put CSP everywhere (#7810)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* Puts CSP everywhere in `p/api`
   * including the HTML query page ❗
   * Also in `p/ext.php`
* Puts `X-Content-Type-Options: nosniff` everywhere
* Fixes custom icon configuration not showing `blob:` icon in statsController (idle feeds)
   * Also removes `style-src 'unsafe-inline'` since it doesn't seem to be needed
* Improves CSP of `p/f.php`

* Add `sandbox` directive
---
 p/f.php | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

(limited to 'p/f.php')

diff --git a/p/f.php b/p/f.php
index fdec38c02..fc9a60abd 100644
--- a/p/f.php
+++ b/p/f.php
@@ -5,6 +5,9 @@ require(LIB_PATH . '/lib_rss.php');	//Includes class autoloader
 require(LIB_PATH . '/favicons.php');
 require(LIB_PATH . '/http-conditional.php');
 
+header("Content-Security-Policy: default-src 'none'; frame-ancestors 'none'; sandbox");
+header('X-Content-Type-Options: nosniff');
+
 function show_default_favicon(int $cacheSeconds = 3600): void {
 	$default_mtime = @filemtime(DEFAULT_FAVICON) ?: 0;
 	if (!httpConditional($default_mtime, $cacheSeconds, 2)) {
@@ -56,7 +59,6 @@ if (($ico_mtime == false || $ico_mtime < $txt_mtime || ($ico_mtime < time() - (m
 	}
 }
 
-header("Content-Security-Policy: default-src 'none'; frame-ancestors 'none'; img-src 'self'; style-src 'self';");
 if (!httpConditional($ico_mtime, mt_rand(14, 21) * 86400, 2)) {
 	$ico_content_type = contentType($ico);
 	header('Content-Type: ' . $ico_content_type);
-- 
cgit v1.2.3