25 Apr
2010
25 Apr
'10
5:53 p.m.
The branch, master has been updated
via 2154120e3a3e3eb111772c69ddc1eec72c0345f1 (commit)
from ec263b9170f89b033374ae8a1281d779693d8200 (commit)
- Log -----------------------------------------------------------------
commit 2154120e3a3e3eb111772c69ddc1eec72c0345f1
Author: Michal Čihař <michal(a)cihar.com>
Date: Sun Apr 25 16:51:53 2010 +0200
[core] Include Content Security Policy HTTP headers.
See <https://wiki.mozilla.org/Security/CSP/Specification> for more
details. I hope current rule is flexible enough to avoid impact on
existing functionality.
-----------------------------------------------------------------------
Summary of changes:
ChangeLog | 1 +
libraries/header_http.inc.php | 1 +
2 files changed, 2 insertions(+), 0 deletions(-)
diff --git a/ChangeLog b/ChangeLog
index 06d98cb..40fa43b 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -80,6 +80,7 @@ $Id$
+ rfe #2983207, patch #2988715 [interface] Use jQuery calendar dialog, thanks
to Muhammad Adnan.
+ [doc] Incorporate synchronisation docs into main document.
++ [core] Include Content Security Policy HTTP headers.
3.3.3.0 (not yet released)
- patch #2982480 [navi] Do not group if there would be one table in group,
diff --git a/libraries/header_http.inc.php b/libraries/header_http.inc.php
index 2a1c445..46f8017 100644
--- a/libraries/header_http.inc.php
+++ b/libraries/header_http.inc.php
@@ -23,6 +23,7 @@ $GLOBALS['now'] = gmdate('D, d M Y H:i:s') . '
GMT';
/* Prevent against ClickJacking by allowing frames only from same origin */
if (!$GLOBALS['cfg']['AllowThirdPartyFraming']) {
header('X-Frame-Options: SAMEORIGIN');
+ header('X-Content-Security-Policy: allow \'self\'; options inline-script
eval-script; frame-ancestors \'self\'');
}
header('Expires: ' . $GLOBALS['now']); // rfc2616 - Section 14.21
header('Last-Modified: ' . $GLOBALS['now']);
hooks/post-receive
--
phpMyAdmin