Revert "9920: set CSP and STS security header"
authorPhilipp Schüle <p.schuele@metaways.de>
Fri, 23 May 2014 09:38:59 +0000 (11:38 +0200)
committerPhilipp Schüle <p.schuele@metaways.de>
Fri, 23 May 2014 09:39:14 +0000 (11:39 +0200)
-> moved to pu/2013.10-longrun

This reverts commit abb57dd777e69fd06e69065f33079cd00220ce2d.

Change-Id: I944a75fdc8915b1ff2fc8c1f47bd05777dd38c6b
Reviewed-on: http://gerrit.tine20.com/customers/684
Reviewed-by: Philipp Schüle <p.schuele@metaways.de>
Tested-by: Philipp Schüle <p.schuele@metaways.de>
tine20/Tinebase/Frontend/Http.php

index 84479aa..1843468 100644 (file)
@@ -267,7 +267,9 @@ class Tinebase_Frontend_Http extends Tinebase_Frontend_Http_Abstract
     /**
      * set headers for mainscreen
      * 
+     * @todo think about CSP: is only supported by FF atm, which options/exceptions should we choose?
      * @todo allow to configure security headers?
+     * @todo add violation report for CSP? @see https://developer.mozilla.org/en/Security/CSP/Using_CSP_violation_reports
      */
     protected function _setMainscreenHeaders()
     {
@@ -281,16 +283,9 @@ class Tinebase_Frontend_Http extends Tinebase_Frontend_Http_Abstract
         // @see https://developer.mozilla.org/en/the_x-frame-options_response_header
         header('X-Frame-Options: SAMEORIGIN');
         
-        // set Content-Security-Policy header against clickjacking and XSS
+        // set X-Content-Security-Policy header against clickjacking and XSS
         // @see https://developer.mozilla.org/en/Security/CSP/CSP_policy_directives
-        header("Content-Security-Policy: default-src 'self'");
-        header("Content-Security-Policy: script-src 'self' 'unsafe-eval' https://versioncheck.tine20.net");
-        // headers for IE 10+11
-        header("X-Content-Security-Policy: default-src 'self'");
-        header("X-Content-Security-Policy: script-src 'self' 'unsafe-eval' https://versioncheck.tine20.net");
-        
-        // set Strict-Transport-Security; used only when served over HTTPS
-        header('Strict-Transport-Security: max-age=16070400');
+        //header("X-Content-Security-Policy: allow 'self' https://*.officespot20.com;");
         
         // cache mainscreen for 10 minutes
         $maxAge = 600;