Put CSP everywhere by Inverle · Pull Request #7810 · FreshRSS/FreshRSS

Inverle · 2025-08-10T15:59:03Z

Puts CSP everywhere in p/api
- including the HTML query page ❗
- Also in p/ext.php
Puts X-Content-Type-Options: nosniff everywhere
Fixes custom icon configuration not showing blob: icon in statsController (idle feeds)
- Also removes style-src 'unsafe-inline' since it doesn't seem to be needed
Improves CSP of p/f.php

Alkarex · 2025-08-10T22:55:51Z

p/api/greader.php

 require(__DIR__ . '/../../constants.php');
 require(LIB_PATH . '/lib_rss.php');	//Includes class autoloader

+header("Content-Security-Policy: default-src 'none'; frame-ancestors 'none'");


There is no HTML here. Is it needed?

GReader can return application/xml (although with content disposition)

try pasting this in the browser address bar:
data:application/xml,<script src="data:text/javascript,alert(1)" xmlns="http://www.w3.org/1999/xhtml"></script>

(XML can run JS)

edit: and just because it has Content-Disposition doesn't mean it's safe: https://www.mozilla.org/en-US/security/advisories/mfsa2025-51/#CVE-2025-6430 (see recent CVE)

Alkarex · 2025-08-10T22:56:14Z

p/api/pshb.php

 const MAX_PAYLOAD = 3_145_728;

 header('Content-Type: text/plain; charset=UTF-8');
+header("Content-Security-Policy: default-src 'none'; frame-ancestors 'none'");


No HTML here either

#7810 (comment)
just to be safe (maybe not needed with text/plain though)

Alkarex · 2025-08-10T22:56:33Z

p/api/fever.php

@@ -1,5 +1,7 @@
 <?php
 declare(strict_types=1);
+header("Content-Security-Policy: default-src 'none'; frame-ancestors 'none'");


There is no HTML here. Is it needed?

#7810 (comment)
just to be safe

Alkarex · 2025-08-10T23:38:21Z

app/Controllers/statsController.php

 			'default-src' => "'self'",
 			'frame-ancestors' => "'none'",
-			'img-src' => '* data:',
-			'style-src' => "'self' 'unsafe-inline'",


unsafe-inline not needed anymore for stats?

I don't see any CSP errors in the console when opening stats page. Haven't tested with an older browser, but I think unsafe-inline is not needed since the inline styles are inserted using JS (possibly with something like el.style.color = 'red' rather than setting the style attribute)

This is really old CSP: cb913a3
FreshRSS used flotr2 instead of chart.js back then

Answer: #1075 (comment)

Do you have a suggestion for that issue?

No issue here, chart.js applies the styles in a way that doesn't require unsafe-inline
edit: see https://github.com/chartjs/Chart.js/blob/6372280085625b43ef34d7b70f3e86b063d22a10/src/platform/platform.dom.js#L49-L85

This PR contains the following updates: | Package | Update | Change | |---|---|---| | [freshrss/freshrss](https://freshrss.org/) ([source](https://github.com/FreshRSS/FreshRSS)) | minor | `1.26.3` -> `1.27.0` | --- ### Release Notes <details> <summary>FreshRSS/FreshRSS (freshrss/freshrss)</summary> ### [`v1.27.0`](https://github.com/FreshRSS/FreshRSS/blob/HEAD/CHANGELOG.md#2025-08-18-FreshRSS-1270) [Compare Source](FreshRSS/FreshRSS@1.26.3...1.27.0) - Features - Implement support for HTTP `429 Too Many Requests` and `503 Service Unavailable`, obey `Retry-After` [#7760](FreshRSS/FreshRSS#7760) - Add sort by category title, or by feed title [#7702](FreshRSS/FreshRSS#7702) - Add search operator `c:` for categories like `c:23,34` or `!c:45,56` [#7696](FreshRSS/FreshRSS#7696) - Custom feed favicons [#7646](FreshRSS/FreshRSS#7646), [#7704](FreshRSS/FreshRSS#7704), [#7717](FreshRSS/FreshRSS#7717), [#7792](FreshRSS/FreshRSS#7792) - Rework fetch favicons for fewer HTTP requests [#7767](FreshRSS/FreshRSS#7767) - Add more unicity criteria based on title and/or content [#7789](FreshRSS/FreshRSS#7789) - Automatically restore user configuration from backup [#7682](FreshRSS/FreshRSS#7682) - API add support for states in `s` parameter of `streamId` [#7695](FreshRSS/FreshRSS#7695) - Improve sharing via Print [#7728](FreshRSS/FreshRSS#7728) - Redirect to the login page from bookmarklet instead of 403 [#7782](FreshRSS/FreshRSS#7782) - Clean local cache more often, when refreshing feeds [#7827](FreshRSS/FreshRSS#7827) - Security - Implement reauthentication (*sudo* mode) [#7753](FreshRSS/FreshRSS#7753) - Add `Content-Security-Policy: frame-ancestors` [#7677](FreshRSS/FreshRSS#7677) - Ensure CSP everywhere [#7810](FreshRSS/FreshRSS#7810) - Show warning when unsafe CSP policy is in use [#7804](FreshRSS/FreshRSS#7804) - Fix access rights when creating a new user [#7783](FreshRSS/FreshRSS#7783) - Improve security of form for user details [#7771](FreshRSS/FreshRSS#7771), [#7786](FreshRSS/FreshRSS#7786) - Disallow setting non-existent theme [#7722](FreshRSS/FreshRSS#7722) - Regenerate cookie ID after logging out [#7762](FreshRSS/FreshRSS#7762) - Require current password when setting new password [#7763](FreshRSS/FreshRSS#7763) - Add missing access checks for feed-related actions [#7768](FreshRSS/FreshRSS#7768) - Strip more unsafe attributes such as `referrerpolicy`, `ping` [#7770](FreshRSS/FreshRSS#7770) - Remove unneeded execution permissions [#7802](FreshRSS/FreshRSS#7802) - Bug fixing - Fix redirections when scraping from HTML [#7654](FreshRSS/FreshRSS#7654), [#7741](FreshRSS/FreshRSS#7741) - Fix multiple authentication HTTP headers [#7703](FreshRSS/FreshRSS#7703) - Fix HTML queries with a single feed [#7730](FreshRSS/FreshRSS#7730) - WebSub: only perform a redirection when coming from WebSub [#7738](FreshRSS/FreshRSS#7738) - Include enclosures in entries’ hash [#7719](FreshRSS/FreshRSS#7719) - Negative side-effect: users of the option to *automatically mark updated articles as unread* will once have some articles with enclosures re-appear as unread - Fix cancellation of slider exit UI [#7705](FreshRSS/FreshRSS#7705) - Honor *disable update* on update page [#7733](FreshRSS/FreshRSS#7733) - Fix no registration limit setting [#7751](FreshRSS/FreshRSS#7751) - Fix XML encoding of sharing functions [#7822](FreshRSS/FreshRSS#7822) - SimplePie - Fix propagation of HTTP error codes [#7670](FreshRSS/FreshRSS#7670) - Fix support for XML feeds with HTML entities [#7689](FreshRSS/FreshRSS#7689), [simplepie#915](simplepie/simplepie#915) - Fix feeds encoded in UTF-16LE [#7691](FreshRSS/FreshRSS#7691), [simplepie#916](simplepie/simplepie#916) - Various upstream contributions [simplepie#917](simplepie/simplepie#917), [simplepie#924](simplepie/simplepie#924), [simplepie#926](simplepie/simplepie#926), [simplepie#932](simplepie/simplepie#932), [simplepie#933](simplepie/simplepie#933) - Sync upstream [#7706](FreshRSS/FreshRSS#7706), [FreshRSS/simplepie#45](FreshRSS/simplepie#45), [#7775](FreshRSS/FreshRSS#7775), [FreshRSS/simplepie#50](FreshRSS/simplepie#50), [#7824](FreshRSS/FreshRSS#7824), [#7825](FreshRSS/FreshRSS#7825), - Fix regex *Backtrack limit was exhausted* in `clean_hash()` [#7813](FreshRSS/FreshRSS#7813), [FreshRSS/simplepie#48](FreshRSS/simplepie#48) - Deployment - Docker default image (Debian 12 Bookworm) updated to PHP 8.2.29 [#7805](FreshRSS/FreshRSS#7805) - Docker alternative image updated to Alpine 3.22 with PHP 8.4.11 and Apache 2.4.65 [#7740](FreshRSS/FreshRSS#7740), [#7740](FreshRSS/FreshRSS#7740), [#7803](FreshRSS/FreshRSS#7803) - Start supporting PHP 8.5+ [#7787](FreshRSS/FreshRSS#7787), [#7826](FreshRSS/FreshRSS#7826) - Docker Alpine dev image `:newest` updated to PHP 8.5-alpha and Apache 2.4.65 [#7773](FreshRSS/FreshRSS#7773) - Docker: interpolate `FRESHRSS_INSTALL` and `FRESHRSS_USER` variables [#7725](FreshRSS/FreshRSS#7725) - Docker: Reduce how much data needs to be chown/chmod’ed on container startup [#7793](FreshRSS/FreshRSS#7793) - Test for database PDO typing support during install (relevant for MySQL / MariaDB with obsolete driver) [#7651](FreshRSS/FreshRSS#7651) - Extensions - Add API endpoint for extensions [#7576](FreshRSS/FreshRSS#7576) - Expose the reading modes for extensions [#7668](FreshRSS/FreshRSS#7668), [#7688](FreshRSS/FreshRSS#7688) - New extension hook `before_login_btn` [#7761](FreshRSS/FreshRSS#7761) - UI - Improve *mark as read* request showing popup due to `onbeforeunload` [#7554](FreshRSS/FreshRSS#7554) - Fix lazy-loading for `<video poster="...">` and `<image>` [#7636](FreshRSS/FreshRSS#7636) - Avoid styling `<code>` inside of `<pre>` [#7797](FreshRSS/FreshRSS#7797) - Improve confirmation logic with `data-auto-leave-validation` [#7785](FreshRSS/FreshRSS#7785) - Update `chart.js` to 4.5.0 [#7752](FreshRSS/FreshRSS#7752), [#7816](FreshRSS/FreshRSS#7816) - Various UI and style improvements: [#7616](FreshRSS/FreshRSS#7616), [#7811](FreshRSS/FreshRSS#7811) - I18n - Show translation status in README [#7715](FreshRSS/FreshRSS#7715) - Improve Indonesian [#7654](FreshRSS/FreshRSS#7654), [#7721](FreshRSS/FreshRSS#7721) - Improve Persian [#7795](FreshRSS/FreshRSS#7795) - Misc. - Improve PHP code [#7642](FreshRSS/FreshRSS#7642), [#7665](FreshRSS/FreshRSS#7665), [#7761](FreshRSS/FreshRSS#7761), [#7781](FreshRSS/FreshRSS#7781), [#7794](FreshRSS/FreshRSS#7794) - Update dev dependencies [#7708](FreshRSS/FreshRSS#7708), [#7709](FreshRSS/FreshRSS#7709), [#7710](FreshRSS/FreshRSS#7710), [#7711](FreshRSS/FreshRSS#7711), [#7776](FreshRSS/FreshRSS#7776), [#7777](FreshRSS/FreshRSS#7777) </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).  Reviewed-on: https://gitea.alexlebens.dev/alexlebens/infrastructure/pulls/1253 Co-authored-by: Renovate Bot <[email protected]> Co-committed-by: Renovate Bot <[email protected]>

Inverle · 2025-09-17T10:54:06Z

Should https://github.com/FreshRSS/FreshRSS/blob/edge/p/api/misc.php also have CSP?

Alkarex · 2025-09-17T12:06:05Z

Should https://github.com/FreshRSS/FreshRSS/blob/edge/p/api/misc.php also have CSP?

It may be used for any form of API, potentially also some Web-based, so yes, good idea

Inverle · 2025-09-17T12:30:59Z

So if we added

header("Content-Security-Policy: default-src 'none'; frame-ancestors 'none'; sandbox");

at the top of misc.php, an extension can just overwrite it with another header() call?

Inverle · 2025-09-17T13:33:39Z

ravenscroftj/freshrss-flaresolverr-extension#31

Alkarex · 2025-09-17T20:07:24Z

an extension can just overwrite it with another header() call?

Hum, to be tested, and may depend on output buffering, but in general I am not sure that works

Put CSP everywhere

35b2f51

Alkarex added this to the 1.27.0 milestone Aug 10, 2025

Alkarex added the Security 🛡️ label Aug 10, 2025

Alkarex reviewed Aug 10, 2025

View reviewed changes

Add sandbox directive

ccc139d

Alkarex merged commit 7df6c20 into FreshRSS:edge Aug 11, 2025
1 check passed

Inverle deleted the csp-everywhere branch August 11, 2025 18:36

Uh oh!

Conversation

Inverle commented Aug 10, 2025

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Inverle Aug 10, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Inverle Aug 10, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Inverle Aug 11, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Inverle commented Sep 17, 2025

Uh oh!

Alkarex commented Sep 17, 2025

Uh oh!

Inverle commented Sep 17, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Inverle commented Sep 17, 2025

Uh oh!

Alkarex commented Sep 17, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Comments

Inverle Aug 10, 2025 •

edited

Loading

Inverle Aug 10, 2025 •

edited

Loading

Inverle Aug 11, 2025 •

edited

Loading

Inverle commented Sep 17, 2025 •

edited

Loading