Hi
Dne Mon, 25 Jun 2012 11:27:43 +0100 Rouslan Placella rouslan@placella.com napsal(a):
I've just dropped the cross_framing_protection.js script in my branch. However there is the below bit of code from Header.class.php that I'm not too sure what to do with.
/* Prevent against ClickJacking by allowing frames only from same origin */ if (! $GLOBALS['cfg']['AllowThirdPartyFraming']) { header( "X-Content-Security-Policy: allow 'self'; " . "options inline-script eval-script; " . "frame-ancestors 'self'; img-src 'self' data:; " . "script-src 'self' http://www.phpmyadmin.net" ); header( "X-WebKit-CSP: allow 'self' http://www.phpmyadmin.net; " . "options inline-script eval-script" ); }
I'm guessing that we need CSP for the version checker (or do we?), but we don't really need the configuration directive for it. Not sure how to proceed here. Any help appreciated, thanks.
I think CSP should be present in all cases. Actually it should have been present also when framing is enabled, only adjusted so that it would allow framing.