Always send security headers in customization
This commit is contained in:
parent
415253b1b1
commit
552d2a6be4
|
@ -65,10 +65,9 @@ class Adminer {
|
||||||
}
|
}
|
||||||
|
|
||||||
/** Headers to send before HTML output
|
/** Headers to send before HTML output
|
||||||
* @return bool true to send security headers
|
* @return null
|
||||||
*/
|
*/
|
||||||
function headers() {
|
function headers() {
|
||||||
return true;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/** Print HTML code inside <head>
|
/** Print HTML code inside <head>
|
||||||
|
|
|
@ -87,12 +87,11 @@ function page_headers() {
|
||||||
global $adminer;
|
global $adminer;
|
||||||
header("Content-Type: text/html; charset=utf-8");
|
header("Content-Type: text/html; charset=utf-8");
|
||||||
header("Cache-Control: no-cache");
|
header("Cache-Control: no-cache");
|
||||||
if ($adminer->headers()) {
|
header("X-Frame-Options: deny"); // ClickJacking protection in IE8, Safari 4, Chrome 2, Firefox 3.6.9
|
||||||
header("X-Frame-Options: deny"); // ClickJacking protection in IE8, Safari 4, Chrome 2, Firefox 3.6.9
|
header("X-XSS-Protection: 0"); // prevents introducing XSS in IE8 by removing safe parts of the page
|
||||||
header("X-XSS-Protection: 0"); // prevents introducing XSS in IE8 by removing safe parts of the page
|
header("X-Content-Type-Options: nosniff");
|
||||||
header("X-Content-Type-Options: nosniff");
|
header("Referrer-Policy: origin-when-cross-origin");
|
||||||
header("Referrer-Policy: origin-when-cross-origin");
|
$adminer->headers();
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/** Print flash and error messages
|
/** Print flash and error messages
|
||||||
|
|
|
@ -6,6 +6,7 @@ PostgreSQL: Sort table names (regression from 4.3.1)
|
||||||
Editor: Don't set time zone from PHP, fixes DST
|
Editor: Don't set time zone from PHP, fixes DST
|
||||||
Editor: Display field comment's text inside [] only in edit form
|
Editor: Display field comment's text inside [] only in edit form
|
||||||
Editor: Fix doubleclick on database page
|
Editor: Fix doubleclick on database page
|
||||||
|
Customization: Always send security headers
|
||||||
Hebrew translation
|
Hebrew translation
|
||||||
|
|
||||||
Adminer 4.3.1 (released 2017-04-14):
|
Adminer 4.3.1 (released 2017-04-14):
|
||||||
|
|
|
@ -45,7 +45,6 @@ class Adminer {
|
||||||
}
|
}
|
||||||
|
|
||||||
function headers() {
|
function headers() {
|
||||||
return true;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
function head() {
|
function head() {
|
||||||
|
|
|
@ -20,11 +20,9 @@ class AdminerFrames {
|
||||||
function headers() {
|
function headers() {
|
||||||
if ($this->sameOrigin) {
|
if ($this->sameOrigin) {
|
||||||
header("X-Frame-Options: SameOrigin");
|
header("X-Frame-Options: SameOrigin");
|
||||||
|
} elseif (function_exists('header_remove')) {
|
||||||
|
header_remove("X-Frame-Options");
|
||||||
}
|
}
|
||||||
header("X-XSS-Protection: 0");
|
|
||||||
header("X-Content-Type-Options: nosniff");
|
|
||||||
header("Referrer-Policy: origin-when-cross-origin");
|
|
||||||
return false;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue