mirror/FreshRSS
0
0
Fork 0
mirror of https://github.com/FreshRSS/FreshRSS.git synced 2026-05-18 13:24:37 -04:00
Code Issues Packages Projects Releases Wiki Activity

Put CSP everywhere (#7810)

Browse Source 
* Puts CSP everywhere in `p/api`
   * including the HTML query page 
   * Also in `p/ext.php`
* Puts `X-Content-Type-Options: nosniff` everywhere
* Fixes custom icon configuration not showing `blob:` icon in statsController (idle feeds)
   * Also removes `style-src 'unsafe-inline'` since it doesn't seem to be needed
* Improves CSP of `p/f.php`

* Add `sandbox` directive
This commit is contained in:
Inverle
2025-08-11 19:35:54 +02:00
committed by GitHub
parent 2b1b268fc2
commit 7df6c201f2
9 changed files with 22 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
app/Controllers/statsController.php
View File

@@ -30,8 +30,7 @@ class FreshRSS_stats_Controller extends FreshRSS_ActionController {
$this->_csp([
'default-src' => "'self'",
'frame-ancestors' => "'none'",
'img-src' => '* data:',
'style-src' => "'self' 'unsafe-inline'",
'img-src' => '* data: blob:',
]);
$catDAO = FreshRSS_Factory::createCategoryDao();