The branch, master has been updated via 612598fe7fbc6c6cf6305a798e9b48b435ea7a91 (commit) from 260cf97a06e2e2cb046093228d4267f8501823b7 (commit)

- Log ----------------------------------------------------------------- commit 612598fe7fbc6c6cf6305a798e9b48b435ea7a91 Author: Piotr Przybylski piotrprz@gmail.com Date: Fri Mar 4 23:06:49 2011 +0100

Fix CSP header: * add 'self' for img-src and script-src * version.js access: - remove protocol (shorter and useful mainly when HTTPS is required) - remove path (invalid syntax, only hosts are allowed there)

-----------------------------------------------------------------------

Summary of changes: libraries/header_http.inc.php | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/libraries/header_http.inc.php b/libraries/header_http.inc.php index f7c27b2..9ad890d 100644 --- a/libraries/header_http.inc.php +++ b/libraries/header_http.inc.php @@ -22,7 +22,7 @@ $GLOBALS['now'] = gmdate('D, d M Y H:i:s') . ' GMT'; /* Prevent against ClickJacking by allowing frames only from same origin */ if (!$GLOBALS['cfg']['AllowThirdPartyFraming']) { header('X-Frame-Options: SAMEORIGIN'); - header('X-Content-Security-Policy: allow 'self'; options inline-script eval-script; frame-ancestors 'self'; img-src data:; script-src http://www.phpmyadmin.net/home_page/version.js'); + header('X-Content-Security-Policy: allow 'self'; options inline-script eval-script; frame-ancestors 'self'; img-src 'self' data:; script-src 'self' www.phpmyadmin.net'); } header('Expires: ' . $GLOBALS['now']); // rfc2616 - Section 14.21 header('Last-Modified: ' . $GLOBALS['now']);

hooks/post-receive