diff options
| author | Morris Jobke <hey@morrisjobke.de> | 2015-10-09 15:25:11 +0200 |
|---|---|---|
| committer | Morris Jobke <hey@morrisjobke.de> | 2015-10-09 15:25:11 +0200 |
| commit | 4214df7bf6be47c4d96bad1ca9b8605f80088762 (patch) | |
| tree | 771ffa0aa1833720147d116158dd91f0dfbd7443 | |
| parent | 28de9c7357aad29fb3f84ef307c24dbd25ead675 (diff) | |
| parent | bb5b7290ac4538e18bddc18d94b7e82d432e1d59 (diff) | |
| download | nextcloud-server-4214df7bf6be47c4d96bad1ca9b8605f80088762.tar.gz nextcloud-server-4214df7bf6be47c4d96bad1ca9b8605f80088762.zip | |
Merge pull request #18958 from owncloud/stable8-backport-17791
[stable8] Add custom CSP for Win 10 compatibility
| -rw-r--r-- | lib/private/eventsource.php | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/lib/private/eventsource.php b/lib/private/eventsource.php index 53947f3a2f2..074c700a6fb 100644 --- a/lib/private/eventsource.php +++ b/lib/private/eventsource.php @@ -41,6 +41,17 @@ class OC_EventSource implements \OCP\IEventSource { $this->fallback = isset($_GET['fallback']) and $_GET['fallback'] == 'true'; if ($this->fallback) { $this->fallBackId = (int)$_GET['fallback_id']; + /** + * FIXME: The default content-security-policy of ownCloud forbids inline + * JavaScript for security reasons. IE starting on Windows 10 will + * however also obey the CSP which will break the event source fallback. + * + * As a workaround thus we set a custom policy which allows the execution + * of inline JavaScript. + * + * @link https://github.com/owncloud/core/issues/14286 + */ + header("Content-Security-Policy: default-src 'none'; script-src 'unsafe-inline'"); header("Content-Type: text/html"); echo str_repeat('<span></span>' . PHP_EOL, 10); //dummy data to keep IE happy } else { |