fix!(ContentSecurityPolicy): Make `strict-dynamic` enabled by default on `script-src-elem`

Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
author: Ferdinand Thiessen <opensource@fthiessen.de> 2023-11-17 11:07:35 +0100
committer: Ferdinand Thiessen <opensource@fthiessen.de> 2023-11-17 14:42:36 +0100
commit: e231abd9bfac66e69db810c986792f9ba1a9d581 (patch)
tree: 9d504aec821265bebcd56c342651a9d47700f44c /lib/public/AppFramework
parent: 7df9eb335199b3eb3016f92e8cba47e12366f306 (diff)
download: nextcloud-server-e231abd9bfac66e69db810c986792f9ba1a9d581.tar.gz
nextcloud-server-e231abd9bfac66e69db810c986792f9ba1a9d581.zip
1 files changed, 1 insertions, 1 deletions
diff --git a/lib/public/AppFramework/Http/ContentSecurityPolicy.php b/lib/public/AppFramework/Http/ContentSecurityPolicy.php
index 386d908ffb6..7f93f7004d9 100644
--- a/lib/public/AppFramework/Http/ContentSecurityPolicy.php
+++ b/lib/public/AppFramework/Http/ContentSecurityPolicy.php
@@ -49,7 +49,7 @@ class ContentSecurityPolicy extends EmptyContentSecurityPolicy {
 	/** @var bool Whether strict-dynamic should be set */
 	protected $strictDynamicAllowed = false;
 	/** @var bool Whether strict-dynamic should be set for 'script-src-elem' */
-	protected $strictDynamicAllowedOnScripts = false;
+	protected $strictDynamicAllowedOnScripts = true;
 	/** @var array Domains from which scripts can get loaded */
 	protected $allowedScriptDomains = [
 		'\'self\'',
author	Ferdinand Thiessen <opensource@fthiessen.de>	2023-11-17 11:07:35 +0100
committer	Ferdinand Thiessen <opensource@fthiessen.de>	2023-11-17 14:42:36 +0100
commit	e231abd9bfac66e69db810c986792f9ba1a9d581 (patch)
tree	9d504aec821265bebcd56c342651a9d47700f44c /lib/public/AppFramework
parent	7df9eb335199b3eb3016f92e8cba47e12366f306 (diff)
download	nextcloud-server-e231abd9bfac66e69db810c986792f9ba1a9d581.tar.gz nextcloud-server-e231abd9bfac66e69db810c986792f9ba1a9d581.zip