Menu
▾
▴
#3588 X-WebKit-CSP Header breaks Safari 5.1
wont-fix
nobody
Normal
2015-04-14
2012-05-04
No
In 3.5.1 the line
header('X-WebKit-CSP: default-src \'self\' \'unsafe-inline\'; img-src \'self\' data:; script-src \'self\' \'unsafe-inline\' \'unsafe-eval\' http://www.phpmyadmin.net');
was added in libraries/header_http.inc.php. This prevents Safari from loading frames and scripts.
Quoting brightbeat:
An easy fix currently for content-security-policy can be to add this line to config.inc.php
$cfg['AllowThirdPartyFraming'] = true;
This bug was fixed in repository and will be part of a future release; thanks for reporting.
I applied commit 4a141a0 (https://github.com/phpmyadmin/phpmyadmin/commit/4a141a067c6b0a04e512ad73dcd86bbd188fa0ab) on top of a 3.5.1 release but it does not seem to fix the problem. Am I missing another commit?
This one should be enough. Or at least it did fix problem for browsers which I can test. I'm afraid that different Webkit versions parse differently X-WebKit-CSP. Can you try whether it will work when placing content of X-Content-Security-Policy into X-WebKit-CSP?
In fact I got some weird behaviour with safari and random results. After clearing cache and stuff, it seems to be fixed with your commit. Sorry for the noise.
It seems that we still have the same issue with safari 5.1.x on top phpmyadmin 3.5.8.1
Could someone confirm that?
Reopening.
@wdauchy: on which OS is your Safari running?
Tested both QA_4_2 and master with a number of combinations of different windows/os x and safari versions using browser stack.
Master branch show a blank screen with safari 5.1 on all OSes.
QA_4_2 branch does not load images on 5.1 on all OSes.
However phpMyAdmin on Safari 5 and 6 works fine
This affects an ancient version of Safari. Based on http://www.w3counter.com/globalstats.php and http://www.w3schools.com/browsers/browsers_safari.asp I suggest to mark this as wont-fix.
Agreed.