Fix CSP header:

* add 'self' for img-src and script-src * version.js access: - remove protocol (shorter and useful mainly when HTTPS is required) - remove path (invalid syntax, only hosts are allowed there)
rclakmal · Mar 4, 2011 · 612598f · 612598f
1 parent 260cf97
commit 612598f
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/libraries/header_http.inc.php b/libraries/header_http.inc.php
@@ -22,7 +22,7 @@
 /* Prevent against ClickJacking by allowing frames only from same origin */
 if (!$GLOBALS['cfg']['AllowThirdPartyFraming']) {
     header('X-Frame-Options: SAMEORIGIN');
-    header('X-Content-Security-Policy: allow \'self\'; options inline-script eval-script; frame-ancestors \'self\'; img-src data:; script-src http://www.phpmyadmin.net/home_page/version.js');
+    header('X-Content-Security-Policy: allow \'self\'; options inline-script eval-script; frame-ancestors \'self\'; img-src \'self\' data:; script-src \'self\' www.phpmyadmin.net');
 }
 header('Expires: ' . $GLOBALS['now']); // rfc2616 - Section 14.21
 header('Last-Modified: ' . $GLOBALS['now']);