[Phpmyadmin-devel] Cross framing protection
Rouslan Placella
rouslan at placella.com
Mon Jun 25 12:27:43 CEST 2012
Hi Dieter,
I've just dropped the cross_framing_protection.js script in my branch.
However there is the below bit of code from Header.class.php that I'm
not too sure what to do with.
> /* Prevent against ClickJacking by allowing frames only from same origin */
> if (! $GLOBALS['cfg']['AllowThirdPartyFraming']) {
> header(
> "X-Content-Security-Policy: allow 'self'; "
> . "options inline-script eval-script; "
> . "frame-ancestors 'self'; img-src 'self' data:; "
> . "script-src 'self' http://www.phpmyadmin.net"
> );
> header(
> "X-WebKit-CSP: allow 'self' http://www.phpmyadmin.net; "
> . "options inline-script eval-script"
> );
> }
I'm guessing that we need CSP for the version checker (or do we?), but
we don't really need the configuration directive for it. Not sure how to
proceed here. Any help appreciated, thanks.
Bye,
Rouslan
More information about the Developers
mailing list