CSP: Allow any images, media and fonts, disallow base-uri

diff --git a/adminer/include/design.inc.php b/adminer/include/design.inc.php
index 076ca0517278abaf8d04ff108fd8c1aa4d86ff17..87a8914d14e9cc3e523eccac7e04f4008386c84c 100644 (file)
--- a/adminer/include/design.inc.php
+++ b/adminer/include/design.inc.php
@@ -109,12 +109,12 @@ function page_headers() {
 function csp() {
        return array(
                array(
-                       "default-src" => "'none'",
                        "script-src" => "'self' 'unsafe-inline' 'nonce-" . get_nonce() . "' 'strict-dynamic'", // 'self' is a fallback for browsers not supporting 'strict-dynamic', 'unsafe-inline' is a fallback for browsers not supporting 'nonce-'
                        "style-src" => "'self' 'unsafe-inline'",
                        "connect-src" => "'self'",
-                       "img-src" => "'self' data:",
                        "frame-src" => "https://www.adminer.org",
+                       "object-src" => "'none'",
+                       "base-uri" => "'none'",
                        "form-action" => "'self'",
                ),
        );

diff --git a/changes.txt b/changes.txt
index 9a23ce7cf1cfe27b40a739ed35ba0a9a787a19f3..7ac3935c8126e0175b5702a2c635edfa3dc0d681 100644 (file)
--- a/changes.txt
+++ b/changes.txt
@@ -1,5 +1,6 @@
 Adminer 4.4.1-dev:
 Adminer: Fix Search data in tables (regression from 4.4.0)
+CSP: Allow any images, media and fonts, disallow base-uri
 
 Adminer 4.4.0 (released 2018-01-17):
 Add Content Security Policy