header("X-XSS-Protection: 0"); // prevents introducing XSS in IE8 by removing safe parts of the page
header("X-Content-Type-Options: nosniff");
header("Referrer-Policy: origin-when-cross-origin");
- $csp = array();
- foreach ($adminer->csp() as $key => $val) {
- $csp[] = "$key $val";
- }
- if ($csp) {
- header("Content-Security-Policy: " . implode("; ", $csp));
+ foreach ($adminer->csp() as $csp) {
+ $header = array();
+ foreach ($csp as $key => $val) {
+ $header[] = "$key $val";
+ }
+ header("Content-Security-Policy: " . implode("; ", $header));
}
$adminer->headers();
}
/** Get Content Security Policy headers
-* @return array directive name in key, allowed sources in value
+* @return array of arrays with directive name in key, allowed sources in value
*/
function csp() {
return array(
- "default-src" => "'none'",
- "script-src" => "'self' 'unsafe-inline' 'nonce-" . get_nonce() . "' 'strict-dynamic'", // 'self' is a fallback for browsers not supporting 'strict-dynamic', 'unsafe-inline' is a fallback for browsers not supporting 'nonce-'
- "style-src" => "'self' 'unsafe-inline'",
- "connect-src" => "'self'",
- "img-src" => "'self' data:",
- "frame-src" => "https://www.adminer.org",
- "form-action" => "'self'",
+ array(
+ "default-src" => "'none'",
+ "script-src" => "'self' 'unsafe-inline' 'nonce-" . get_nonce() . "' 'strict-dynamic'", // 'self' is a fallback for browsers not supporting 'strict-dynamic', 'unsafe-inline' is a fallback for browsers not supporting 'nonce-'
+ "style-src" => "'self' 'unsafe-inline'",
+ "connect-src" => "'self'",
+ "img-src" => "'self' data:",
+ "frame-src" => "https://www.adminer.org",
+ "form-action" => "'self'",
+ ),
);
}
projects / adminer.git / commitdiff