Hi Dieter,
I've just dropped the cross_framing_protection.js script in my branch. However there is the below bit of code from Header.class.php that I'm not too sure what to do with.
/* Prevent against ClickJacking by allowing frames only from same origin */ if (! $GLOBALS['cfg']['AllowThirdPartyFraming']) { header( "X-Content-Security-Policy: allow 'self'; " . "options inline-script eval-script; " . "frame-ancestors 'self'; img-src 'self' data:; " . "script-src 'self' http://www.phpmyadmin.net" ); header( "X-WebKit-CSP: allow 'self' http://www.phpmyadmin.net; " . "options inline-script eval-script" ); }
I'm guessing that we need CSP for the version checker (or do we?), but we don't really need the configuration directive for it. Not sure how to proceed here. Any help appreciated, thanks.
Bye, Rouslan