commit 8e0ad65e940e2dacdf3241e819da0d15bceb9883 parent a45c8397f34b325483389881c13add5653ba8f97 Author: Jan Dankert <devnull@localhost> Date: Wed, 3 Jan 2018 23:54:53 +0100 Bei Seitenvorschau keine Content-Security-Policy verwenden. Diffstat:
modules/cms-core/action/PageAction.class.php | | | 7 | ++++++- |
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/modules/cms-core/action/PageAction.class.php b/modules/cms-core/action/PageAction.class.php @@ -630,7 +630,12 @@ class PageAction extends ObjectAction */ function showView() { - // Seite definieren + // Do NOT use CSP here. + // The output is only shown in an iframe, so there is no security impact to the CMS. + // But if the template is using inline JS or CSS, we would break this with a CSP-header. + header('Content-Security-Policy:'); + + // Seite definieren if ( $this->hasRequestVar('withIcons') ) $this->page->icons = true;