[Phpmyadmin-devel] Cross framing protection

Rouslan Placella rouslan at placella.com
Mon Jun 25 12:27:43 CEST 2012


Hi Dieter,

I've just dropped the cross_framing_protection.js script in my branch. 
However there is the below bit of code from Header.class.php that I'm 
not too sure what to do with.

> /* Prevent against ClickJacking by allowing frames only from same origin */
> if (! $GLOBALS['cfg']['AllowThirdPartyFraming']) {
>     header(
>         "X-Content-Security-Policy: allow 'self'; "
>         . "options inline-script eval-script; "
>         . "frame-ancestors 'self'; img-src 'self' data:; "
>         . "script-src 'self' http://www.phpmyadmin.net"
>     );
>     header(
>         "X-WebKit-CSP: allow 'self' http://www.phpmyadmin.net; "
>         . "options inline-script eval-script"
>     );
> }

I'm guessing that we need CSP for the version checker (or do we?), but 
we don't really need the configuration directive for it. Not sure how to 
proceed here. Any help appreciated, thanks.

Bye,
Rouslan




More information about the Developers mailing list