[Phpmyadmin-devel] Content-Security-Policy headers

Piotr Przybylski piotr.prz at gmail.com
Sun Sep 25 17:37:56 CEST 2011


2011/9/25 Marc Delisle <marc at infomarc.info>:
> Le 2011-09-25 06:18, Marc Delisle a écrit :
>> Le 2011-09-24 14:30, Rouslan Placella a écrit :
>>> On Sat, 2011-09-24 at 10:54 -0400, Marc Delisle wrote:
>>>> Hi,
>>>>
>>>> In the 3.4 family (QA_3_4) running on my test server, when testing the
>>>> Designer and clicking on "Show/hide left menu", nothing happens except
>>>> that my Firefox 6 console complains about a Content Security Policy
>>>> violation.
>>>>
>>>> On the same server, trying version 3.5 (master) works fine. Both version
>>>> have in libraries/header_http.inc.php the line that emits a
>>>> X-Content-Security-Policy header.
>>>>
>>>> In 3.4, if I remove this line, all works fine.
>>>
>>> Yes, I can reproduce this, exactly as you have described it.
>>> [PHP 5.3.5, Firefox 6.0.2, Ubuntu 11.04]
>>>
>>> Rouslan
>>
>> Thanks. I just noticed that it has been reported in the bug tracker:
>> https://sourceforge.net/tracker/index.php?func=detail&aid=3324161&group_id=23067&atid=377408
>>
>> A remark in the artifact made me test this bug under IE 8 and there is
>> no problem; it probably does not care about this header.
>>
>
> Piotr,
> any idea about this issue?
>
> (see commit 612598fe7fbc6c6cf6305a798e9b48b435ea7a91)
>

Looks like it's caused by CSP specs change:
https://bugzilla.mozilla.org/show_bug.cgi?id=631040

Instead of changing our security policy I removed all remaining
"javascript:" links in QA_3_4.

-- 
Piotr Przybylski




More information about the Developers mailing list