Always send security headers in customization

2025-08-08 15:47:00 +02:00 · 2018-01-09 13:48:51 +01:00
parent 415253b1b1
commit 552d2a6be4
5 changed files with 9 additions and 13 deletions
--- a/adminer/include/adminer.inc.php
+++ b/adminer/include/adminer.inc.php
@@ -65,10 +65,9 @@ class Adminer {
 	}

 	/** Headers to send before HTML output
-	* @return bool true to send security headers
+	* @return null
 	*/
 	function headers() {
-		return true;
 	}

 	/** Print HTML code inside <head>
--- a/adminer/include/design.inc.php
+++ b/adminer/include/design.inc.php
@@ -87,12 +87,11 @@ function page_headers() {
 	global $adminer;
 	header("Content-Type: text/html; charset=utf-8");
 	header("Cache-Control: no-cache");
-	if ($adminer->headers()) {
-		header("X-Frame-Options: deny"); // ClickJacking protection in IE8, Safari 4, Chrome 2, Firefox 3.6.9
-		header("X-XSS-Protection: 0"); // prevents introducing XSS in IE8 by removing safe parts of the page
-		header("X-Content-Type-Options: nosniff");
-		header("Referrer-Policy: origin-when-cross-origin");
-	}
+	header("X-Frame-Options: deny"); // ClickJacking protection in IE8, Safari 4, Chrome 2, Firefox 3.6.9
+	header("X-XSS-Protection: 0"); // prevents introducing XSS in IE8 by removing safe parts of the page
+	header("X-Content-Type-Options: nosniff");
+	header("Referrer-Policy: origin-when-cross-origin");
+	$adminer->headers();
 }

 /** Print flash and error messages
--- a/changes.txt
+++ b/changes.txt
@@ -6,6 +6,7 @@ PostgreSQL: Sort table names (regression from 4.3.1)
 Editor: Don't set time zone from PHP, fixes DST
 Editor: Display field comment's text inside [] only in edit form
 Editor: Fix doubleclick on database page
+Customization: Always send security headers
 Hebrew translation

 Adminer 4.3.1 (released 2017-04-14):
--- a/editor/include/adminer.inc.php
+++ b/editor/include/adminer.inc.php
@@ -45,7 +45,6 @@ class Adminer {
 	}

 	function headers() {
-		return true;
 	}

 	function head() {
--- a/plugins/frames.php
+++ b/plugins/frames.php
@@ -20,11 +20,9 @@ class AdminerFrames {
 	function headers() {
 		if ($this->sameOrigin) {
 			header("X-Frame-Options: SameOrigin");
+		} elseif (function_exists('header_remove')) {
+			header_remove("X-Frame-Options");
 		}
-		header("X-XSS-Protection: 0");
-		header("X-Content-Type-Options: nosniff");
-		header("Referrer-Policy: origin-when-cross-origin");
-		return false;
 	}
 	
 }