diff options
| author | Roeland Jago Douma <roeland@famdouma.nl> | 2020-11-17 16:19:03 +0100 |
|---|---|---|
| committer | Morris Jobke <hey@morrisjobke.de> | 2020-12-01 22:23:13 +0100 |
| commit | 3fb850940f0bd6337cef4b3712d34a288ea90820 (patch) | |
| tree | e9cf2e13eaef4065aaaa1ad7e25a8f34823eb848 /lib/public | |
| parent | 86da5013c802694d827ff0cb0880643b36aa23ab (diff) | |
| download | nextcloud-server-3fb850940f0bd6337cef4b3712d34a288ea90820.tar.gz nextcloud-server-3fb850940f0bd6337cef4b3712d34a288ea90820.zip | |
Set frame-ancestors to none if none are filled
frame-ancestors doesn't fall back to default-src. So when we apply a
very restricted CSP we should make sure to set it to 'none' and not
leave it empty.
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
Diffstat (limited to 'lib/public')
| -rw-r--r-- | lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php b/lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php index 6265bb04c5c..d4c3a022c13 100644 --- a/lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php +++ b/lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php @@ -509,6 +509,8 @@ class EmptyContentSecurityPolicy { if (!empty($this->allowedFrameAncestors)) { $policy .= 'frame-ancestors ' . implode(' ', $this->allowedFrameAncestors); $policy .= ';'; + } else { + $policy .= 'frame-ancestors \'none\';'; } if (!empty($this->allowedWorkerSrcDomains)) { |