CSP: Allow any images, media and fonts, disallow base-uri

2018-01-19 11:05:26 +01:00 · 2018-01-19 11:05:26 +01:00 · 329b7de9cc
parent 2dcad1f284
commit 329b7de9cc
2 changed files with 3 additions and 2 deletions
--- a/adminer/include/design.inc.php
+++ b/adminer/include/design.inc.php
@ -109,12 +109,12 @@ function page_headers() {
 function csp() {
 	return array(
 		array(
-			"default-src" => "'none'",
 			"script-src" => "'self' 'unsafe-inline' 'nonce-" . get_nonce() . "' 'strict-dynamic'", // 'self' is a fallback for browsers not supporting 'strict-dynamic', 'unsafe-inline' is a fallback for browsers not supporting 'nonce-'
 			"style-src" => "'self' 'unsafe-inline'",
 			"connect-src" => "'self'",
-			"img-src" => "'self' data:",
 			"frame-src" => "https://www.adminer.org",
+			"object-src" => "'none'",
+			"base-uri" => "'none'",
 			"form-action" => "'self'",
 		),
 	);
--- a/changes.txt
+++ b/changes.txt
@ -1,5 +1,6 @@
 Adminer 4.4.1-dev:
 Adminer: Fix Search data in tables (regression from 4.4.0)
+CSP: Allow any images, media and fonts, disallow base-uri

 Adminer 4.4.0 (released 2018-01-17):
 Add Content Security Policy