Merge pull request #4127 from nextcloud/update-legacy-csp-policy

Update legacy CSP policy
author: Morris Jobke <hey@morrisjobke.de> 2017-03-28 17:47:32 -0600
committer: GitHub <noreply@github.com> 2017-03-28 17:47:32 -0600
commit: dbf6b7ff8623c1d8fcc98398d2a7415ffb7b2a68 (patch)
tree: 92fcfe630ea57430f188e07b905a4128f840f0d7 /lib/private/legacy/response.php
parent: 4f09dc71e0902a693ccb9c59a9ea6b1f258eefa1 (diff)
parent: 3a90ab7e0a6e3d99f41c0735b592adff246a9e15 (diff)
download: nextcloud-server-dbf6b7ff8623c1d8fcc98398d2a7415ffb7b2a68.tar.gz
nextcloud-server-dbf6b7ff8623c1d8fcc98398d2a7415ffb7b2a68.zip
1 files changed, 3 insertions, 1 deletions
diff --git a/lib/private/legacy/response.php b/lib/private/legacy/response.php
index 8937b56a707..115eb5baa68 100644
--- a/lib/private/legacy/response.php
+++ b/lib/private/legacy/response.php
@@ -253,7 +253,9 @@ class OC_Response {
 			. 'img-src * data: blob:; '
 			. 'font-src \'self\' data:; '
 			. 'media-src *; ' 
-			. 'connect-src *';
+			. 'connect-src *; '
+			. 'object-src \'none\'; '
+			. 'base-uri \'self\'; ';
 		header('Content-Security-Policy:' . $policy);
 		header('X-Frame-Options: Sameorigin'); // Disallow iFraming from other domains
author	Morris Jobke <hey@morrisjobke.de>	2017-03-28 17:47:32 -0600
committer	GitHub <noreply@github.com>	2017-03-28 17:47:32 -0600
commit	dbf6b7ff8623c1d8fcc98398d2a7415ffb7b2a68 (patch)
tree	92fcfe630ea57430f188e07b905a4128f840f0d7 /lib/private/legacy/response.php
parent	4f09dc71e0902a693ccb9c59a9ea6b1f258eefa1 (diff)
parent	3a90ab7e0a6e3d99f41c0735b592adff246a9e15 (diff)
download	nextcloud-server-dbf6b7ff8623c1d8fcc98398d2a7415ffb7b2a68.tar.gz nextcloud-server-dbf6b7ff8623c1d8fcc98398d2a7415ffb7b2a68.zip