The branch, master has been updated via 2154120e3a3e3eb111772c69ddc1eec72c0345f1 (commit) from ec263b9170f89b033374ae8a1281d779693d8200 (commit)

- Log ----------------------------------------------------------------- commit 2154120e3a3e3eb111772c69ddc1eec72c0345f1 Author: Michal Čihař michal@cihar.com Date: Sun Apr 25 16:51:53 2010 +0200

[core] Include Content Security Policy HTTP headers.

See https://wiki.mozilla.org/Security/CSP/Specification for more details. I hope current rule is flexible enough to avoid impact on existing functionality.

-----------------------------------------------------------------------

Summary of changes: ChangeLog | 1 + libraries/header_http.inc.php | 1 + 2 files changed, 2 insertions(+), 0 deletions(-)

diff --git a/ChangeLog b/ChangeLog index 06d98cb..40fa43b 100644 --- a/ChangeLog +++ b/ChangeLog @@ -80,6 +80,7 @@ $Id$ + rfe #2983207, patch #2988715 [interface] Use jQuery calendar dialog, thanks to Muhammad Adnan. + [doc] Incorporate synchronisation docs into main document. ++ [core] Include Content Security Policy HTTP headers.

3.3.3.0 (not yet released) - patch #2982480 [navi] Do not group if there would be one table in group, diff --git a/libraries/header_http.inc.php b/libraries/header_http.inc.php index 2a1c445..46f8017 100644 --- a/libraries/header_http.inc.php +++ b/libraries/header_http.inc.php @@ -23,6 +23,7 @@ $GLOBALS['now'] = gmdate('D, d M Y H:i:s') . ' GMT'; /* Prevent against ClickJacking by allowing frames only from same origin */ if (!$GLOBALS['cfg']['AllowThirdPartyFraming']) { header('X-Frame-Options: SAMEORIGIN'); + header('X-Content-Security-Policy: allow 'self'; options inline-script eval-script; frame-ancestors 'self''); } header('Expires: ' . $GLOBALS['now']); // rfc2616 - Section 14.21 header('Last-Modified: ' . $GLOBALS['now']);

hooks/post-receive