From 1ae30d1d9c849b3e1ef3e75a78bd3aab49f48afd Mon Sep 17 00:00:00 2001 From: Lukas Reschke Date: Tue, 15 Dec 2015 16:37:10 +0100 Subject: [PATCH 1/2] Use setifempty to please incompatible httpd versions Some httpd versions have problem with the old logic leading to resourced served with multiple headers. --- .htaccess | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/.htaccess b/.htaccess index bb030c6acca..db1fa997555 100644 --- a/.htaccess +++ b/.htaccess @@ -14,9 +14,12 @@ Header set X-Frame-Options "SAMEORIGIN" SetEnv modHeadersAvailable true - # Add CSP header if not set, used for static resources - Header append Content-Security-Policy "" - Header edit Content-Security-Policy "^$" "default-src 'none'; style-src 'self' 'unsafe-inline'; script-src 'self'" + + = 2.4.7> + # Add CSP header if not set, used for static resources + Header setifempty Content-Security-Policy "default-src 'none'; style-src 'self' 'unsafe-inline'; script-src 'self'" + + # Add cache control for CSS and JS files From 047008e9e39b9481b6a2268af1d8d2922a569174 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rn=20Friedrich=20Dreyer?= Date: Thu, 7 Jan 2016 12:52:48 +0100 Subject: [PATCH 2/2] always check if the csp is empty --- .htaccess | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.htaccess b/.htaccess index db1fa997555..b4c7eee9312 100644 --- a/.htaccess +++ b/.htaccess @@ -17,7 +17,7 @@ = 2.4.7> # Add CSP header if not set, used for static resources - Header setifempty Content-Security-Policy "default-src 'none'; style-src 'self' 'unsafe-inline'; script-src 'self'" + Header always setifempty Content-Security-Policy "default-src 'none'; style-src 'self' 'unsafe-inline'; script-src 'self'"