[Phpmyadmin-devel] Cross framing protection

Rouslan Placella rouslan at placella.com
Mon Jun 25 13:04:29 CEST 2012


On 25/06/12 11:54, Michal Čihař wrote:
> Hi
>
> Dne Mon, 25 Jun 2012 11:27:43 +0100
> Rouslan Placella<rouslan at placella.com>  napsal(a):
>
>> I've just dropped the cross_framing_protection.js script in my branch.
>> However there is the below bit of code from Header.class.php that I'm
>> not too sure what to do with.
>>
>>> /* Prevent against ClickJacking by allowing frames only from same origin */
>>> if (! $GLOBALS['cfg']['AllowThirdPartyFraming']) {
>>>      header(
>>>          "X-Content-Security-Policy: allow 'self'; "
>>>          . "options inline-script eval-script; "
>>>          . "frame-ancestors 'self'; img-src 'self' data:; "
>>>          . "script-src 'self' http://www.phpmyadmin.net"
>>>      );
>>>      header(
>>>          "X-WebKit-CSP: allow 'self' http://www.phpmyadmin.net; "
>>>          . "options inline-script eval-script"
>>>      );
>>> }
>>
>> I'm guessing that we need CSP for the version checker (or do we?), but
>> we don't really need the configuration directive for it. Not sure how to
>> proceed here. Any help appreciated, thanks.
>
> I think CSP should be present in all cases. Actually it should have
> been present also when framing is enabled, only adjusted so that it
> would allow framing.

Thanks for the quick reply. So it's like I thought, drop the config 
directive and leave in some slightly modified headers.




More information about the Developers mailing list