取消设置 /phpmyadmin 目录的 Content-Security-Policy 标头

取消设置 /phpmyadmin 目录的 Content-Security-Policy 标头

我正在尝试通过取消设置/重置标题值来删除 /phpmyadmin 模块的限制。

在 Apache conf 文件中我有

<Directory />
    Options -Indexes -FollowSymLinks
    AllowOverride None
    Require all denied
</Directory>

<Directory /usr/share>
        AllowOverride None
        Require all denied
</Directory>

<Directory /usr/share/phpmyadmin>
        AllowOverride All
        Options +Indexes
</Directory>

其次是 (这是我稍后想要覆盖的):

<IfModule mod_headers.c>
    <IF "%{REQUEST_URI} !~ m#^/admin#">

            Header set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' https://www.google-analytics.com https:/$
    img-src https://* data:; style-src 'self' 'unsafe-inline'; child-src https://*.facebook.com; base-uri 'none'; form-action 'self' https://c$
            Header always set X-XSS-Protection "1; mode=block"
            Header always set X-Frame-Options "DENY"
            Header always set X-Content-Type-Options "nosniff"
            Header always set Referrer-Policy "strict-origin-when-cross-origin"
            Header set Feature-Policy "sync-xhr 'self'; payment 'none';"
    </IF>
</IfModule>

这是我的phpmyadmin.conf

# phpMyAdmin default Apache configuration

Alias /phpmyadmin /usr/share/phpmyadmin

<Directory /usr/share/phpmyadmin>
    Options SymLinksIfOwnerMatch
    DirectoryIndex index.php
    AllowOverride All

    <IfModule mod_php5.c>
        <IfModule mod_mime.c>
            AddType application/x-httpd-php .php
        </IfModule>
        <FilesMatch ".+\.php$">
            SetHandler application/x-httpd-php
        </FilesMatch>

        php_value include_path .
        php_admin_value upload_tmp_dir /var/lib/phpmyadmin/tmp
        php_admin_value open_basedir /usr/share/phpmyadmin/:/etc/phpmyadmin/:/var/lib/phpmyadmin/:/usr/share/php/php-gettext/:/usr/share/p$
        php_admin_value mbstring.func_overload 0
    </IfModule>
    <IfModule mod_php.c>
        <IfModule mod_mime.c>
            AddType application/x-httpd-php .php
        </IfModule>
        <FilesMatch ".+\.php$">
            SetHandler application/x-httpd-php
        </FilesMatch>

        php_value include_path .
        php_admin_value upload_tmp_dir /var/lib/phpmyadmin/tmp
        php_admin_value open_basedir /usr/share/phpmyadmin/:/etc/phpmyadmin/:/var/lib/phpmyadmin/:/usr/share/php/php-gettext/:/usr/share/p$
        php_admin_value mbstring.func_overload 0
    </IfModule>

</Directory>


# Authorize for setup
<Directory /usr/share/phpmyadmin/setup>
    <IfModule mod_authz_core.c>
        <IfModule mod_authn_file.c>
            AuthType Basic
            AuthName "phpMyAdmin Setup"
            AuthUserFile /etc/phpmyadmin/htpasswd.setup
        </IfModule>
        Require valid-user
    </IfModule>
</Directory>

# Disallow web access to directories that don't need it
<Directory /usr/share/phpmyadmin/templates>
    Require all denied
</Directory>
<Directory /usr/share/phpmyadmin/libraries>
    Require all denied
</Directory>
<Directory /usr/share/phpmyadmin/setup/lib>
    Require all denied
</Directory>

最后/usr/share/phpmyadmin/.htaccess

AuthType Basic
AuthName "Restricted Files"
AuthUserFile /etc/phpmyadmin/.htpasswd
Require valid-user

<IfModule mod_headers.c>
    Header unset Content-Security-Policy
    Header always set Content-Security-Policy "default-src 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-eval' 'unsafe-inline';$

</IfModule>


php_value upload_max_filesize 100M
php_value post_max_size 100M
php_value max_execution_time 200
php_value max_input_time 200

当我看到响应头时,浏览器中的结果如下:

Cache-Control: private, max-age=10800
Content-Encoding: gzip
Content-Security-Policy: default-src 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self'; frame-src 'self'; connect-src 'self'; frame-ancestors 'self'; base-uri 'self'; form-action 'self'
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' https://www.google-analytics.com https://counter.top.ge https://connect.facebook.net; connect-src 'self'; img-src https://* data:; style-src 'self' 'unsafe-inline'; child-src https://*.facebook.com; base-uri 'none'; form-action 'self' https://cse.google.com; frame-ancestors 'none'; report-uri /csp-report.php;
Content-Type: text/javascript; charset=UTF-8
Date: Tue, 28 Apr 2020 19:30:27 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT

您可以看到内容安全政策指令有两次,我需要的是第一个,但是默认的服务器范围的配置会覆盖它。

任何帮助,将不胜感激。

相关内容