[Phpmyadmin-devel] Cross framing protection
Rouslan Placella
rouslan at placella.com
Mon Jun 25 13:04:29 CEST 2012
On 25/06/12 11:54, Michal Čihař wrote:
> Hi
>
> Dne Mon, 25 Jun 2012 11:27:43 +0100
> Rouslan Placella<rouslan at placella.com> napsal(a):
>
>> I've just dropped the cross_framing_protection.js script in my branch.
>> However there is the below bit of code from Header.class.php that I'm
>> not too sure what to do with.
>>
>>> /* Prevent against ClickJacking by allowing frames only from same origin */
>>> if (! $GLOBALS['cfg']['AllowThirdPartyFraming']) {
>>> header(
>>> "X-Content-Security-Policy: allow 'self'; "
>>> . "options inline-script eval-script; "
>>> . "frame-ancestors 'self'; img-src 'self' data:; "
>>> . "script-src 'self' http://www.phpmyadmin.net"
>>> );
>>> header(
>>> "X-WebKit-CSP: allow 'self' http://www.phpmyadmin.net; "
>>> . "options inline-script eval-script"
>>> );
>>> }
>>
>> I'm guessing that we need CSP for the version checker (or do we?), but
>> we don't really need the configuration directive for it. Not sure how to
>> proceed here. Any help appreciated, thanks.
>
> I think CSP should be present in all cases. Actually it should have
> been present also when framing is enabled, only adjusted so that it
> would allow framing.
Thanks for the quick reply. So it's like I thought, drop the config
directive and leave in some slightly modified headers.
More information about the Developers
mailing list