From 4a141a067c6b0a04e512ad73dcd86bbd188fa0ab Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michal=20=C4=8Ciha=C5=99?= <mcihar@suse.cz>
Date: Tue, 15 May 2012 14:17:19 +0200
Subject: [PATCH] bug #3523499 [core] Make X-WebKit-CSP work better

This seems to work fine in Epiphany and Chromium, I don't have other
browsers to test.
---
 ChangeLog                     | 1 +
 libraries/header_http.inc.php | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/ChangeLog b/ChangeLog
index 0da397220d0d..efc5a7050fd6 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -8,6 +8,7 @@ phpMyAdmin - ChangeLog
 - bug [GUI] Invalid HTML code on transformation_overview.php
 - bug #3522930 [browse] Missing validation in Ajax mode
 - bug Fix popup message on build SQL of import
+- bug #3523499 [core] Make X-WebKit-CSP work better
 
 3.5.1.0 (2012-05-03)
 - bug #3510784 [edit] Limit clause ignored when sort order is remembered
diff --git a/libraries/header_http.inc.php b/libraries/header_http.inc.php
index adc8d04473a7..6bc295bc059f 100644
--- a/libraries/header_http.inc.php
+++ b/libraries/header_http.inc.php
@@ -23,7 +23,7 @@
 if (!$GLOBALS['cfg']['AllowThirdPartyFraming']) {
     header('X-Frame-Options: SAMEORIGIN');
     header("X-Content-Security-Policy: allow 'self'; options inline-script eval-script; frame-ancestors 'self'; img-src 'self' data:; script-src 'self' http://www.phpmyadmin.net");
-    header("X-WebKit-CSP: default-src 'self' 'unsafe-inline'; img-src 'self' data:; script-src 'self' 'unsafe-inline' 'unsafe-eval' http://www.phpmyadmin.net");
+    header("X-WebKit-CSP: allow 'self' http://www.phpmyadmin.net; options inline-script eval-script");
 }
 PMA_no_cache_header();
 if (!defined('IS_TRANSFORMATION_WRAPPER')) {