Merge pull request #11440 from monojp/w4y-patches

login form style fix, sprites css caching fix and extended security-related HTTP headers
phpmyadmin · Aug 29, 2015 · 2192acf · 2192acf
2 parents 2a5a378 + 699d55f
commit 2192acf
Show file tree

Hide file tree

Showing 3 changed files with 18 additions and 1 deletion.
diff --git a/libraries/Header.class.php b/libraries/Header.class.php
@@ -593,6 +593,22 @@ public function sendHttpHeaders()
             . $captcha_url
             . ";"
         );
+        // Re-enable possible disabled XSS filters
+        // see https://www.owasp.org/index.php/List_of_useful_HTTP_headers
+        header(
+            'X-XSS-Protection: 1; mode=block'
+        );
+        // "nosniff", prevents Internet Explorer and Google Chrome from MIME-sniffing a
+        // response away from the declared content-type
+        /// see https://www.owasp.org/index.php/List_of_useful_HTTP_headers
+        header(
+            'X-Content-Type-Options: nosniff'
+        );
+        // Adobe cross-domain-policies
+        // see http://www.adobe.com/devnet/articles/crossdomain_policy_file_spec.html
+        header(
+            'X-Permitted-Cross-Domain-Policies: none'
+        );
         PMA_noCacheHeader();
         if (! defined('IS_TRANSFORMATION_WRAPPER')) {
             // Define the charset to be used

diff --git a/themes/pmahomme/css/common.css.php b/themes/pmahomme/css/common.css.php
@@ -894,6 +894,7 @@
 form.login input[type=text],
 form.login input[type=password],
 form.login select {
+    box-sizing: border-box;
     width: 14em;
 }
 

diff --git a/themes/sprites.css.php b/themes/sprites.css.php
@@ -11,7 +11,7 @@
     exit();
 }
 
-$bg = $_SESSION['PMA_Theme']->getImgPath() . 'sprites.png';
+$bg = $_SESSION['PMA_Theme']->getImgPath() . 'sprites.png?v=' . urlencode(PMA_VERSION);
 /* Check if there is a valid data file for sprites */
 if (is_readable($_SESSION['PMA_Theme']->getPath() . '/sprites.lib.php')) {