Add Content-Security-Policy header

This is standard and obsoletes X-Content-Security-Policy and X-Webkit-CSP, but we still keep the old ones to provide headers for old browsers. Signed-off-by: Michal Čihař <michal@cihar.com>
phpmyadmin · Mar 19, 2014 · 5199ad8 · 5199ad8
1 parent 7862564
commit 5199ad8
Showing 1 changed file with 14 additions and 0 deletions.
diff --git a/libraries/Header.class.php b/libraries/Header.class.php
@@ -470,6 +470,20 @@ public function sendHttpHeaders()
                     'X-Frame-Options: DENY'
                 );
             }
+            header(
+                "Content-Security-Policy: default-src 'self' "
+                . ($use_captcha ? 'https://www.google.com ' : ' ')
+                . $GLOBALS['cfg']['CSPAllow'] . ';'
+                . "script-src 'self' 'unsafe-inline' 'unsafe-eval'"
+                . ($use_captcha ? 'https://www.google.com ' : ' ')
+                . ";"
+                . "img-src 'self' data: "
+                . $GLOBALS['cfg']['CSPAllow']
+                . ($https ? "" : $mapTilesUrls)
+                // for reCAPTCHA
+                . ($use_captcha ? ' https://www.google.com' : ' ')
+                . ";"
+            );
             header(
                 "X-Content-Security-Policy: default-src 'self' "
                 . ($use_captcha ? 'https://www.google.com ' : ' ')