openrat-cms

Unnamed repository; edit this file 'description' to name the repository.
Log | Files | Refs

commit 8e0ad65e940e2dacdf3241e819da0d15bceb9883
parent a45c8397f34b325483389881c13add5653ba8f97
Author: Jan Dankert <devnull@localhost>
Date:   Wed,  3 Jan 2018 23:54:53 +0100

Bei Seitenvorschau keine Content-Security-Policy verwenden.

Diffstat:
modules/cms-core/action/PageAction.class.php | 7++++++-
1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/modules/cms-core/action/PageAction.class.php b/modules/cms-core/action/PageAction.class.php @@ -630,7 +630,12 @@ class PageAction extends ObjectAction */ function showView() { - // Seite definieren + // Do NOT use CSP here. + // The output is only shown in an iframe, so there is no security impact to the CMS. + // But if the template is using inline JS or CSS, we would break this with a CSP-header. + header('Content-Security-Policy:'); + + // Seite definieren if ( $this->hasRequestVar('withIcons') ) $this->page->icons = true;