Allow eval() and send headers for legacy browsers

The blocking of eval() seems to have problems with JQuery 1.7.2 - let's allow it for now and disable it in the future.

diff --git a/lib/template.php b/lib/template.php
index 0780a81e7d19f93ab1faaed056a08ba050f7035e..632268b00238b97966584bf0ec3259b62824cf35 100644 (file)
--- a/lib/template.php
+++ b/lib/template.php
@@ -189,8 +189,12 @@ class OC_Template{
                header('X-Frame-Options: Sameorigin'); // Disallow iFraming from other domains
                header('X-XSS-Protection: 1; mode=block'); // Enforce browser based XSS filters
                header('X-Content-Type-Options: nosniff'); // Disable sniffing the content type for IE
-               header('Content-Security-Policy: default-src \'self\'; style-src \'self\' \'unsafe-inline\'; frame-src *');
-               header('X-WebKit-CSP: default-src \'self\'; style-src \'self\' \'unsafe-inline\'; frame-src *');
+
+               // Content Security Policy
+               $policy = 'default-src \'self\'; script-src \'self\' \'unsafe-eval\'; style-src \'self\' \'unsafe-inline\'; frame-src *';
+               header('Content-Security-Policy:'.$policy); // Standard
+               header('X-WebKit-CSP:'.$policy); // Older webkit browsers
+               header('X-Content-Security-Policy:'.$policy); // Mozilla + Internet Explorer
 
                $this->findTemplate($name);
        }