[Phpmyadmin-devel] Cross framing protection
Michal Čihař
michal at cihar.com
Mon Jun 25 12:54:20 CEST 2012
Hi
Dne Mon, 25 Jun 2012 11:27:43 +0100
Rouslan Placella <rouslan at placella.com> napsal(a):
> I've just dropped the cross_framing_protection.js script in my branch.
> However there is the below bit of code from Header.class.php that I'm
> not too sure what to do with.
>
> > /* Prevent against ClickJacking by allowing frames only from same origin */
> > if (! $GLOBALS['cfg']['AllowThirdPartyFraming']) {
> > header(
> > "X-Content-Security-Policy: allow 'self'; "
> > . "options inline-script eval-script; "
> > . "frame-ancestors 'self'; img-src 'self' data:; "
> > . "script-src 'self' http://www.phpmyadmin.net"
> > );
> > header(
> > "X-WebKit-CSP: allow 'self' http://www.phpmyadmin.net; "
> > . "options inline-script eval-script"
> > );
> > }
>
> I'm guessing that we need CSP for the version checker (or do we?), but
> we don't really need the configuration directive for it. Not sure how to
> proceed here. Any help appreciated, thanks.
I think CSP should be present in all cases. Actually it should have
been present also when framing is enabled, only adjusted so that it
would allow framing.
--
Michal Čihař | http://cihar.com | http://blog.cihar.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
URL: <http://lists.phpmyadmin.net/pipermail/developers/attachments/20120625/2f058fb1/attachment.sig>
More information about the Developers
mailing list