Browse Source
Allow eval() and send headers for legacy browsers
The blocking of eval() seems to have problems with JQuery 1.7.2 - let's allow it for now and disable it in the future.tags/v5.0.0alpha1
Lukas Reschke
11 years ago
1 changed files with 6 additions and 2 deletions
+ 6
- 2
lib/template.php
View File
| @@ -189,8 +189,12 @@ class OC_Template{ | |||
| header('X-Frame-Options: Sameorigin'); // Disallow iFraming from other domains | |||
| header('X-XSS-Protection: 1; mode=block'); // Enforce browser based XSS filters | |||
| header('X-Content-Type-Options: nosniff'); // Disable sniffing the content type for IE | |||
| header('Content-Security-Policy: default-src \'self\'; style-src \'self\' \'unsafe-inline\'; frame-src *'); | |||
| header('X-WebKit-CSP: default-src \'self\'; style-src \'self\' \'unsafe-inline\'; frame-src *'); | |||
| // Content Security Policy | |||
| $policy = 'default-src \'self\'; script-src \'self\' \'unsafe-eval\'; style-src \'self\' \'unsafe-inline\'; frame-src *'; | |||
| header('Content-Security-Policy:'.$policy); // Standard | |||
| header('X-WebKit-CSP:'.$policy); // Older webkit browsers | |||
| header('X-Content-Security-Policy:'.$policy); // Mozilla + Internet Explorer | |||
| $this->findTemplate($name); | |||
| } | |||
Loading…