[Phpmyadmin-devel] Content-Security-Policy headers
Marc Delisle
marc at infomarc.info
Mon Sep 26 00:23:30 CEST 2011
Le 2011-09-25 11:37, Piotr Przybylski a écrit :
> 2011/9/25 Marc Delisle <marc at infomarc.info>:
>> Le 2011-09-25 06:18, Marc Delisle a écrit :
>>> Le 2011-09-24 14:30, Rouslan Placella a écrit :
>>>> On Sat, 2011-09-24 at 10:54 -0400, Marc Delisle wrote:
>>>>> Hi,
>>>>>
>>>>> In the 3.4 family (QA_3_4) running on my test server, when testing the
>>>>> Designer and clicking on "Show/hide left menu", nothing happens except
>>>>> that my Firefox 6 console complains about a Content Security Policy
>>>>> violation.
>>>>>
>>>>> On the same server, trying version 3.5 (master) works fine. Both version
>>>>> have in libraries/header_http.inc.php the line that emits a
>>>>> X-Content-Security-Policy header.
>>>>>
>>>>> In 3.4, if I remove this line, all works fine.
>>>>
>>>> Yes, I can reproduce this, exactly as you have described it.
>>>> [PHP 5.3.5, Firefox 6.0.2, Ubuntu 11.04]
>>>>
>>>> Rouslan
>>>
>>> Thanks. I just noticed that it has been reported in the bug tracker:
>>> https://sourceforge.net/tracker/index.php?func=detail&aid=3324161&group_id=23067&atid=377408
>>>
>>> A remark in the artifact made me test this bug under IE 8 and there is
>>> no problem; it probably does not care about this header.
>>>
>>
>> Piotr,
>> any idea about this issue?
>>
>> (see commit 612598fe7fbc6c6cf6305a798e9b48b435ea7a91)
>>
>
> Looks like it's caused by CSP specs change:
> https://bugzilla.mozilla.org/show_bug.cgi?id=631040
>
> Instead of changing our security policy I removed all remaining
> "javascript:" links in QA_3_4.
>
Good fix, thanks.
--
Marc Delisle
http://infomarc.info
More information about the Developers
mailing list