Merge remote-tracking branch 'origin/master-1.3.x'

# Conflicts: # core/http_api.php
mantisbt · Aug 27, 2016 · 4e6b44d · 4e6b44d
2 parents 7530384 + df605e1
commit 4e6b44d
Showing 1 changed file with 7 additions and 0 deletions.
diff --git a/core/http_api.php b/core/http_api.php
@@ -229,6 +229,8 @@ function http_security_headers() {
 
 			http_csp_add( 'script-src', 'ajax.googleapis.com' );
 			http_csp_add( 'script-src', 'maxcdn.bootstrapcdn.com' );
+
+			http_csp_add( 'img-src', 'ajax.googleapis.com' );
 		}
 
 		# Relaxing policy for view issue page to allow inline scripts.
@@ -237,6 +239,11 @@ function http_security_headers() {
 			http_csp_add( 'script-src', "'unsafe-inline'" );
 		}
 
+		# The JS Calendar control does unsafe eval, remove once we upgrade the control (see #20040)
+		if( 'bug_update_page.php' == basename( $_SERVER['SCRIPT_NAME'] ) ) {
+			http_csp_add( 'script-src', "'unsafe-eval'" );
+		}
+
 		http_csp_emit_header();
 
 		if( http_is_protocol_https() ) {