diff options
| author | Clark Tomlinson <fallen013@gmail.com> | 2015-02-18 10:27:29 -0500 |
|---|---|---|
| committer | Clark Tomlinson <fallen013@gmail.com> | 2015-02-18 10:27:29 -0500 |
| commit | 8d09cc3b91a9689a6c95e06c8002288bdd8d5bbf (patch) | |
| tree | 81e09b101401476c2de80460a994a34ff26b75d8 /lib/private/response.php | |
| parent | 84cc90a0ee81d32001ccaa38795cbcf4343ac2f0 (diff) | |
| parent | a9d1a0144018e60ba2728708bf965b4d9855920b (diff) | |
| download | nextcloud-server-8d09cc3b91a9689a6c95e06c8002288bdd8d5bbf.tar.gz nextcloud-server-8d09cc3b91a9689a6c95e06c8002288bdd8d5bbf.zip | |
Merge pull request #13989 from owncloud/enhancment/security/11857
Allow AppFramework applications to specify a custom CSP header
Diffstat (limited to 'lib/private/response.php')
| -rw-r--r-- | lib/private/response.php | 15 |
1 files changed, 9 insertions, 6 deletions
diff --git a/lib/private/response.php b/lib/private/response.php index 9be5d75c314..600b702810c 100644 --- a/lib/private/response.php +++ b/lib/private/response.php @@ -189,7 +189,7 @@ class OC_Response { } } - /* + /** * This function adds some security related headers to all requests served via base.php * The implementation of this function has to happen here to ensure that all third-party * components (e.g. SabreDAV) also benefit from this headers. @@ -204,17 +204,20 @@ class OC_Response { header('X-Frame-Options: Sameorigin'); // Disallow iFraming from other domains } - // Content Security Policy - // If you change the standard policy, please also change it in config.sample.php - $policy = OC_Config::getValue('custom_csp_policy', - 'default-src \'self\'; ' + /** + * FIXME: Content Security Policy for legacy ownCloud components. This + * can be removed once \OCP\AppFramework\Http\Response from the AppFramework + * is used everywhere. + * @see \OCP\AppFramework\Http\Response::getHeaders + */ + $policy = 'default-src \'self\'; ' . 'script-src \'self\' \'unsafe-eval\'; ' . 'style-src \'self\' \'unsafe-inline\'; ' . 'frame-src *; ' . 'img-src *; ' . 'font-src \'self\' data:; ' . 'media-src *; ' - . 'connect-src *'); + . 'connect-src *'; header('Content-Security-Policy:' . $policy); // https://developers.google.com/webmasters/control-crawl-index/docs/robots_meta_tag |