Learn how easy it is to sync an existing GitHub or Google Code repo to a SourceForge project! See Demo

Close

#3588 X-WebKit-CSP Header breaks Safari 5.1

3.5.8
wont-fix
nobody
Normal
2015-04-14
2012-05-04
No

In 3.5.1 the line

header('X-WebKit-CSP: default-src \'self\' \'unsafe-inline\'; img-src \'self\' data:; script-src \'self\' \'unsafe-inline\' \'unsafe-eval\' http://www.phpmyadmin.net');

was added in libraries/header_http.inc.php. This prevents Safari from loading frames and scripts.

Discussion

  • Quoting brightbeat:

    An easy fix currently for content-security-policy can be to add this line to config.inc.php
    $cfg['AllowThirdPartyFraming'] = true;

     
  • Michal Čihař
    Michal Čihař
    2012-05-15

    • assigned_to: nobody --> nijel
     
  • Michal Čihař
    Michal Čihař
    2012-05-15

    This bug was fixed in repository and will be part of a future release; thanks for reporting.

     
  • Michal Čihař
    Michal Čihař
    2012-05-15

    • summary: 3.5.1 X-WebKit-CSP Header breaks Safari --> (ok 3.5.2) 3.5.1 X-WebKit-CSP Header breaks Safari
    • priority: 5 --> 1
    • status: open --> open-fixed
     
  • wdauchy
    wdauchy
    2012-05-16

    I applied commit 4a141a0 (https://github.com/phpmyadmin/phpmyadmin/commit/4a141a067c6b0a04e512ad73dcd86bbd188fa0ab) on top of a 3.5.1 release but it does not seem to fix the problem. Am I missing another commit?

     
  • Michal Čihař
    Michal Čihař
    2012-05-17

    This one should be enough. Or at least it did fix problem for browsers which I can test. I'm afraid that different Webkit versions parse differently X-WebKit-CSP. Can you try whether it will work when placing content of X-Content-Security-Policy into X-WebKit-CSP?

     
  • Michal Čihař
    Michal Čihař
    2012-05-17

    • priority: 1 --> 5
    • status: open-fixed --> open
     
  • wdauchy
    wdauchy
    2012-05-18

    In fact I got some weird behaviour with safari and random results. After clearing cache and stuff, it seems to be fixed with your commit. Sorry for the noise.

     
  • Michal Čihař
    Michal Čihař
    2012-05-21

    • priority: 5 --> 1
    • status: open --> open-fixed
     
  • Marc Delisle
    Marc Delisle
    2012-07-20

    • status: open-fixed --> closed-fixed
     
  • wdauchy
    wdauchy
    2013-04-28

    It seems that we still have the same issue with safari 5.1.x on top phpmyadmin 3.5.8.1

    Could someone confirm that?

     
  • Marc Delisle
    Marc Delisle
    2013-04-30

    Reopening.

     
  • Marc Delisle
    Marc Delisle
    2013-04-30

    • summary: (ok 3.5.2) 3.5.1 X-WebKit-CSP Header breaks Safari --> X-WebKit-CSP Header breaks Safari
    • status: closed-fixed --> open
    • Group: 3.5.1 --> 3.5.8
    • Priority: 1 --> 5
     
  • Michal Čihař
    Michal Čihař
    2013-08-07

    • assigned_to: Michal Čihař --> nobody
     
  • Marc Delisle
    Marc Delisle
    2014-07-28

    @wdauchy: on which OS is your Safari running?

     
  • Tested both QA_4_2 and master with a number of combinations of different windows/os x and safari versions using browser stack.
    Master branch show a blank screen with safari 5.1 on all OSes.
    QA_4_2 branch does not load images on 5.1 on all OSes.

    However phpMyAdmin on Safari 5 and 6 works fine

     
    • summary: X-WebKit-CSP Header breaks Safari --> X-WebKit-CSP Header breaks Safari 5.1
     
  • Marc Delisle
    Marc Delisle
    2015-04-14

    • status: open --> wont-fix