Hi Dieter,
I've just dropped the cross_framing_protection.js script in my branch. However there is the below bit of code from Header.class.php that I'm not too sure what to do with.
/* Prevent against ClickJacking by allowing frames only from same origin */ if (! $GLOBALS['cfg']['AllowThirdPartyFraming']) { header( "X-Content-Security-Policy: allow 'self'; " . "options inline-script eval-script; " . "frame-ancestors 'self'; img-src 'self' data:; " . "script-src 'self' http://www.phpmyadmin.net" ); header( "X-WebKit-CSP: allow 'self' http://www.phpmyadmin.net; " . "options inline-script eval-script" ); }
I'm guessing that we need CSP for the version checker (or do we?), but we don't really need the configuration directive for it. Not sure how to proceed here. Any help appreciated, thanks.
Bye, Rouslan
Hi
Dne Mon, 25 Jun 2012 11:27:43 +0100 Rouslan Placella rouslan@placella.com napsal(a):
I've just dropped the cross_framing_protection.js script in my branch. However there is the below bit of code from Header.class.php that I'm not too sure what to do with.
/* Prevent against ClickJacking by allowing frames only from same origin */ if (! $GLOBALS['cfg']['AllowThirdPartyFraming']) { header( "X-Content-Security-Policy: allow 'self'; " . "options inline-script eval-script; " . "frame-ancestors 'self'; img-src 'self' data:; " . "script-src 'self' http://www.phpmyadmin.net" ); header( "X-WebKit-CSP: allow 'self' http://www.phpmyadmin.net; " . "options inline-script eval-script" ); }
I'm guessing that we need CSP for the version checker (or do we?), but we don't really need the configuration directive for it. Not sure how to proceed here. Any help appreciated, thanks.
I think CSP should be present in all cases. Actually it should have been present also when framing is enabled, only adjusted so that it would allow framing.
On 25/06/12 11:54, Michal Čihař wrote:
Hi
Dne Mon, 25 Jun 2012 11:27:43 +0100 Rouslan Placellarouslan@placella.com napsal(a):
I've just dropped the cross_framing_protection.js script in my branch. However there is the below bit of code from Header.class.php that I'm not too sure what to do with.
/* Prevent against ClickJacking by allowing frames only from same origin */ if (! $GLOBALS['cfg']['AllowThirdPartyFraming']) { header( "X-Content-Security-Policy: allow 'self'; " . "options inline-script eval-script; " . "frame-ancestors 'self'; img-src 'self' data:; " . "script-src 'self' http://www.phpmyadmin.net" ); header( "X-WebKit-CSP: allow 'self' http://www.phpmyadmin.net; " . "options inline-script eval-script" ); }
I'm guessing that we need CSP for the version checker (or do we?), but we don't really need the configuration directive for it. Not sure how to proceed here. Any help appreciated, thanks.
I think CSP should be present in all cases. Actually it should have been present also when framing is enabled, only adjusted so that it would allow framing.
Thanks for the quick reply. So it's like I thought, drop the config directive and leave in some slightly modified headers.
-
Michal Čihař -
Rouslan Placella