Update legacy CSP policy

Aligns it with the one enforced by the AppFramework

Signed-off-by: Lukas Reschke <lukas@statuscode.ch>

diff --git a/lib/private/legacy/response.php b/lib/private/legacy/response.php
index 69c84e2df6888c3315544a932704d5542558dcd0..d5c9ed78f6435e9c246e7a3812525ad8d96e9964 100644 (file)
--- a/lib/private/legacy/response.php
+++ b/lib/private/legacy/response.php
@@ -253,7 +253,9 @@ class OC_Response {
                        . 'img-src * data: blob:; '
                        . 'font-src \'self\' data:; '
                        . 'media-src *; ' 
-                       . 'connect-src *';
+                       . 'connect-src *; '
+                       . 'object-src \'none\'; '
+                       . 'base-uri \'self\'; ';
                header('Content-Security-Policy:' . $policy);
 
                // Send fallback headers for installations that don't have the possibility to send