Merge branches 'faster-encryption-load', 'fix-security-header' and 'fix-session-xss'

2020-05-03 17:31:10 +02:00
parent c2cd0258f1 0f97ddd573 81b8b78df0
commit 6189120795
1 changed files with 2 additions and 1 deletions
--- a/chat.php
+++ b/chat.php
@ -45,6 +45,7 @@ load_config();
 if(!isset($_REQUEST['session']) && isset($_COOKIE[COOKIENAME])){
 	$_REQUEST['session']=$_COOKIE[COOKIENAME];
 }
+$_REQUEST['session'] = preg_replace('/[^0-9a-zA-Z]/', '', $_REQUEST['session']);
 load_lang();
 check_db();
 cron();
@ -3285,7 +3286,7 @@ function send_headers(){
 	header('Cache-Control: no-cache, no-store, must-revalidate, max-age=0');
 	header('Expires: 0');
 	header('Referrer-Policy: no-referrer');
-	header('Content-Security-Policy: referrer never');
+	header("Content-Security-Policy: default-src 'self'; img-src *; media-src *; script-src 'self'; style-src *");
    header('X-Content-Type-Options: nosniff');
    header('X-Frame-Options: sameorigin');
    header('X-XSS-Protection: 1; mode=block');