Index: openacs-4/packages/acs-bootstrap-installer/installer/www/blank-master.tcl =================================================================== RCS file: /usr/local/cvsroot/openacs-4/packages/acs-bootstrap-installer/installer/www/blank-master.tcl,v diff -u -r1.2.2.8 -r1.2.2.9 --- openacs-4/packages/acs-bootstrap-installer/installer/www/blank-master.tcl 12 Sep 2016 08:29:49 -0000 1.2.2.8 +++ openacs-4/packages/acs-bootstrap-installer/installer/www/blank-master.tcl 12 Sep 2016 18:08:38 -0000 1.2.2.9 @@ -73,21 +73,6 @@ -lang en \ -content "OpenACS version [ad_acs_version]" -# -# Add the content security policy. Since this is the blank master, we -# are defensive and check, if the system has already support for it -# via the CSPEnabledP kernel parameter. Otherwise users would be -# blocked out. -# -if {[parameter::get -parameter CSPEnabledP -package_id [ad_acs_kernel_id] -default 0] - && [info commands ::security::csp::render] ne "" -} { - set csp [::security::csp::render] - if {$csp ne ""} { - ns_set put [ns_conn outputheaders] Content-Security-Policy $csp - } -} - # Add standard javascript # # Include core.js inclusion to the bottom of the body. @@ -256,7 +241,29 @@ # body event handlers are converted into body_scripts template::get_body_event_handlers +# +# Add the content security policy. Since this is the blank master, we +# are defensive and check, if the system has already support for it +# via the CSPEnabledP kernel parameter. Otherwise users would be +# blocked out. +# +if {[parameter::get -parameter CSPEnabledP -package_id [ad_acs_kernel_id] -default 0] + && [info commands ::security::csp::render] ne "" +} { + set csp [::security::csp::render] + if {$csp ne ""} { + set ua [ns_set iget [ns_conn headers] user-agent] + if {[regexp {Trident/.*rv:([0-9]{1,}[\.0-9]{0,})} $ua]} { + set field X-Content-Security-Policy + } else { + set field Content-Security-Policy + } + + ns_set put [ns_conn outputheaders] $field $csp + } +} + # Local variables: # mode: tcl # tcl-indent-level: 4 Index: openacs-4/www/blank-master.tcl =================================================================== RCS file: /usr/local/cvsroot/openacs-4/www/blank-master.tcl,v diff -u -r1.56.2.9 -r1.56.2.10 --- openacs-4/www/blank-master.tcl 12 Sep 2016 08:29:49 -0000 1.56.2.9 +++ openacs-4/www/blank-master.tcl 12 Sep 2016 18:08:38 -0000 1.56.2.10 @@ -84,7 +84,15 @@ } { set csp [::security::csp::render] if {$csp ne ""} { - ns_set put [ns_conn outputheaders] Content-Security-Policy $csp + + set ua [ns_set iget [ns_conn headers] user-agent] + if {[regexp {Trident/.*rv:([0-9]{1,}[\.0-9]{0,})} $ua]} { + set field X-Content-Security-Policy + } else { + set field Content-Security-Policy + } + + ns_set put [ns_conn outputheaders] $field $csp } }