Add CSP header

author: Lukas Reschke <lukas@statuscode.ch> 2013-01-20 12:06:33 +0100
committer: Lukas Reschke <lukas@statuscode.ch> 2013-01-20 12:06:33 +0100
commit: c82d6e51536f4a7f72ad8968e78f8d2a6f7f220c (patch)
tree: 122cee7e56b3e4ad064b3b9baf128e51bb9e8438 /lib/template.php
parent: 8daefd00fbed7dd06da707418b2690e0aed2ea5a (diff)
download: nextcloud-server-c82d6e51536f4a7f72ad8968e78f8d2a6f7f220c.tar.gz
nextcloud-server-c82d6e51536f4a7f72ad8968e78f8d2a6f7f220c.zip
1 files changed, 5 insertions, 4 deletions
diff --git a/lib/template.php b/lib/template.php
index f7124ebc09c..fa2df6c67ee 100644
--- a/lib/template.php
+++ b/lib/template.php
@@ -186,10 +186,11 @@ class OC_Template{
 		$this->l10n = OC_L10N::get($parts[0]);
 
 		// Some headers to enhance security
-		header('X-Frame-Options: Sameorigin');
-		header('X-XSS-Protection: 1; mode=block');
-		header('X-Content-Type-Options: nosniff');
-
+		header('X-Frame-Options: Sameorigin'); // Disallow iFraming from other domains
+		header('X-XSS-Protection: 1; mode=block'); // Enforce browser based XSS filters
+		header('X-Content-Type-Options: nosniff'); // Disable sniffing the content type for IE
+		header('Content-Security-Policy: script-src \'self\' \'unsafe-inline\'; object-src \'self\''); // Disallow external JS/Flash + eval()
+		
 		$this->findTemplate($name);
 	}
author	Lukas Reschke <lukas@statuscode.ch>	2013-01-20 12:06:33 +0100
committer	Lukas Reschke <lukas@statuscode.ch>	2013-01-20 12:06:33 +0100
commit	c82d6e51536f4a7f72ad8968e78f8d2a6f7f220c (patch)
tree	122cee7e56b3e4ad064b3b9baf128e51bb9e8438 /lib/template.php
parent	8daefd00fbed7dd06da707418b2690e0aed2ea5a (diff)
download	nextcloud-server-c82d6e51536f4a7f72ad8968e78f8d2a6f7f220c.tar.gz nextcloud-server-c82d6e51536f4a7f72ad8968e78f8d2a6f7f220c.zip