Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
Enable security headers
It was disabled in the 2.0.0-beta.1 release,
re-enabling it.

Fixes #21650
  • Loading branch information
vboctor committed Aug 27, 2016
1 parent 7192eb0 commit df3d0bc
Showing 1 changed file with 2 additions and 7 deletions.
9 changes: 2 additions & 7 deletions core/http_api.php
Expand Up @@ -214,6 +214,7 @@ function http_security_headers() {
http_csp_add( 'default-src', "'self'" );
http_csp_add( 'frame-ancestors', "'none'" );
http_csp_add( 'style-src', "'self'" );
http_csp_add( 'style-src', "'unsafe-inline'" );
http_csp_add( 'script-src', "'self'" );
http_csp_add( 'img-src', "'self'" );

Expand All @@ -224,12 +225,6 @@ function http_security_headers() {
http_csp_add( 'script-src', $t_cdn_url );
}

# Relaxing policy for roadmap page to allow inline styles
# This is a workaround to fix the broken progress bars (see #19501)
if( 'roadmap_page.php' == basename( $_SERVER['SCRIPT_NAME'] ) ) {
http_csp_add( 'style-src', "'unsafe-inline'" );
}

http_csp_emit_header();

if( http_is_protocol_https() ) {
Expand Down Expand Up @@ -261,7 +256,7 @@ function http_all_headers() {
if( !$g_bypass_headers && !headers_sent() ) {
http_content_headers();
http_caching_headers();
#http_security_headers();
http_security_headers();
http_custom_headers();
}
}
Expand Down

0 comments on commit df3d0bc

Please sign in to comment.