diff --git a/adminer/include/adminer.inc.php b/adminer/include/adminer.inc.php index dde21082..c25a8e0a 100644 --- a/adminer/include/adminer.inc.php +++ b/adminer/include/adminer.inc.php @@ -65,10 +65,9 @@ class Adminer { } /** Headers to send before HTML output - * @return bool true to send security headers + * @return null */ function headers() { - return true; } /** Print HTML code inside diff --git a/adminer/include/design.inc.php b/adminer/include/design.inc.php index 83d34d61..cd0563e5 100644 --- a/adminer/include/design.inc.php +++ b/adminer/include/design.inc.php @@ -87,12 +87,11 @@ function page_headers() { global $adminer; header("Content-Type: text/html; charset=utf-8"); header("Cache-Control: no-cache"); - if ($adminer->headers()) { - header("X-Frame-Options: deny"); // ClickJacking protection in IE8, Safari 4, Chrome 2, Firefox 3.6.9 - header("X-XSS-Protection: 0"); // prevents introducing XSS in IE8 by removing safe parts of the page - header("X-Content-Type-Options: nosniff"); - header("Referrer-Policy: origin-when-cross-origin"); - } + header("X-Frame-Options: deny"); // ClickJacking protection in IE8, Safari 4, Chrome 2, Firefox 3.6.9 + header("X-XSS-Protection: 0"); // prevents introducing XSS in IE8 by removing safe parts of the page + header("X-Content-Type-Options: nosniff"); + header("Referrer-Policy: origin-when-cross-origin"); + $adminer->headers(); } /** Print flash and error messages diff --git a/changes.txt b/changes.txt index 2a33e236..5ca548e8 100644 --- a/changes.txt +++ b/changes.txt @@ -6,6 +6,7 @@ PostgreSQL: Sort table names (regression from 4.3.1) Editor: Don't set time zone from PHP, fixes DST Editor: Display field comment's text inside [] only in edit form Editor: Fix doubleclick on database page +Customization: Always send security headers Hebrew translation Adminer 4.3.1 (released 2017-04-14): diff --git a/editor/include/adminer.inc.php b/editor/include/adminer.inc.php index 1aa78646..4c55d937 100644 --- a/editor/include/adminer.inc.php +++ b/editor/include/adminer.inc.php @@ -45,7 +45,6 @@ class Adminer { } function headers() { - return true; } function head() { diff --git a/plugins/frames.php b/plugins/frames.php index 32e521bc..c09e630a 100644 --- a/plugins/frames.php +++ b/plugins/frames.php @@ -20,11 +20,9 @@ class AdminerFrames { function headers() { if ($this->sameOrigin) { header("X-Frame-Options: SameOrigin"); + } elseif (function_exists('header_remove')) { + header_remove("X-Frame-Options"); } - header("X-XSS-Protection: 0"); - header("X-Content-Type-Options: nosniff"); - header("Referrer-Policy: origin-when-cross-origin"); - return false; } }