[Bug] 1.27.0 removes all CSP Header

[sleeksorrow]

Describe the bug

It seems that version 1.27.0 actively removes all CSP headers.

I updated from 1.26.3 to 1.27.0 using git. Afterwards I got the warning in FreshRSS: "The CSP header in use is unsafe and FreshRSS may be vulnerable to XSS attacks." I read the documentation and tested myself and I found outr two things:
1: There are no CSP headers sent in FreshRSS.
2: I have no CSP headers set myself. Other paths on my webserver also have no CSP headers.
3: If I enable CSP headers in my webserver config, then they are sent in all other locations but not on /FreshRSS path.

Using Apache2 2.4.58 on Ubuntu 24.04.

I also downgraded back to version 1.26.3 and the warning is gone. But when I was searching respone headers I also do not see any. Also if I enable them in server config, then they are in other paths but not in /FreshRSS, just like with 1.27.0, just without warning. So maybe the problem is something else and 1.27.0 has this new warning feature? I see some CSP changes in release information. But then I'm quite clueless where I messed up. I tend to leave as much in default as possible.

To Reproduce

1. Go to my private server URL /FreshRSS
2. Log in
3. See warning message
4. Cannot find CSP Headers in response

Expected behavior

1. Go to my private server URL /FreshRSS
2. Log in
3. See no warning message
4. Find secure CSP Headers in response

FreshRSS version

1.27.0

System information

• Database version: mariadb 10.11.13
• PHP version: 8.3
• Installation type: git
• Web server type: Apache 2.4.58
• OS: Ubuntu 24.04
• Browser: Firefox 141.0.3

Additional context

No response

[Alkarex]

Hello,
Do you have some kind of proxy in addition to your Apache?

[sleeksorrow]

No, just vanilla apache with mod_php and SSL. I checked my site config and did not find any special stuff. I had some ProxyPass directives that are obsolete and removed them to make it even simpler. If you think it can be some server config setting I will try more. I set some other headers, I can try to comment that out for a test.
EDIT: No change by that

[Vagenthar]

It has also stop working in iFrame. refused connections.

[vk2r]

From what I've been reading, in the new version of FreshRSS you have to send a specific CSP policy, otherwise it will display an error on the page, defined as a security issue. See CSP Header.

I also have this problem. I am running FreshRSS on a shared host by manitu.de. Not sure where i can edit the headers sent there since i do not have that much control over the webserver.

[Alkarex]

@stunlocked94 What problem do you observe, more precisely?

@stunlocked94 What problem do you observe, more precisely?

I am sorry, i should have specified it. I was googling around for half an hour by this point so i forgot.
I am also getting the CSP header notification when i open the subscription management interface.

I have not changed any options nor installed any addons.

[sleeksorrow]

So I'm out of ideas. I can set any Header in apache conf that I want, they all are there in the answer headers when I test it in browser. But any CSP Header that I set in apache config is being removed by FreshRSS.

[Inverle]

How is it being removed by FreshRSS? FreshRSS is just showing a warning that the CSP header is misconfigured.

FreshRSS/p/scripts/main.js

Lines 2194 to 2206 in 5e8c964

	try {
	// eslint-disable-next-line no-new-func
	Function();
	} catch (_) {
	// Exit if 'script-src' is set and 'unsafe-eval' isn't set in CSP
	return;
	}
	document.body.insertAdjacentHTML('afterbegin', `
	<div class="alert alert-error">
	<span>${context.i18n.unsafe_csp_header}</span>
	</div>
	`);

Can you show an example?

[sleeksorrow]

I am no developer, I cannot say if and how PHP can unset headers of apache. I just know when I set some different header then it is visible everywhere on my server on any path including /FreshRSS. When I set a Content-Security-Policy header, it is visible on every path BUT NOT /FreshRSS.

[sleeksorrow]

Grrrrrrrrr I have no idea where this file is coming from on my setup:

# cat p/i/.htaccess
Header unset Content-Security-Policy

Sorry, resolved for me.....

[Inverle]

So removing the file fixed your issue?