commit c07ede8a90cc75661ce9a202bf377ea0f9b7d6ed
parent 51a2c37152508f096b1a18ebe9b5bf414ef3c73f
Author: Jan Dankert <devnull@localhost>
Date: Tue, 30 Oct 2012 23:15:49 +0100
Fix für CSP: Angabe 'options inline-script' ohne Hochkommas, CSP ist per Konfiguration ausschaltbar.
Diffstat:
2 files changed, 5 insertions(+), 3 deletions(-)
diff --git a/action/Action.class.php b/action/Action.class.php
@@ -354,6 +354,7 @@ class Action
public function forward()
{
Session::close();
+ global $conf;
$db = db_connection();
@@ -378,8 +379,9 @@ class Action
// Ablaufzeit für den Inhalt auf aktuelle Zeit setzen.
header('Expires: '.substr(date('r',time()-date('Z')),0,-5).'GMT',false );
-
- header('X-Content-Security-Policy: '.'allow *; script-src \'self\'; options \'inline-script\'');
+
+ if ( $conf['security']['content-security-policy'] )
+ header('X-Content-Security-Policy: '.'allow \'self\'; img-src: *; script-src \'self\'; options inline-script');
$httpAccept = getenv('HTTP_ACCEPT');
@@ -449,7 +451,6 @@ class Action
if ( isset($this->actionConfig[$this->subActionName]['menu']))
$windowTitle = 'menu_title_'.$this->actionName.'_'.$this->actionConfig[$this->subActionName]['menu'];
- global $conf;
global $REQ;
global $PHP_SELF;
global $HTTP_SERVER_VARS;
diff --git a/config/config-default.php b/config/config-default.php
@@ -792,6 +792,7 @@ $conf['security']['user'] = array();
$conf['security']['user']['show_admin_mail']=true;
$conf['security']['user']['show_mail']=true;
$conf['security']['user']['send_message']=true;
+$conf['security']['content-security-policy']=true;
$conf['style'] = array();
$conf['style']['grey']=array();
