diff options
| author | Lukas Reschke <lukas@statuscode.ch> | 2013-01-22 08:09:01 +0100 |
|---|---|---|
| committer | Lukas Reschke <lukas@statuscode.ch> | 2013-01-22 08:09:01 +0100 |
| commit | 351d206dd3b30e29c110ac8c519ce85d550ebb8b (patch) | |
| tree | 3b730dfede4a6d717e8816cd98dc597f66991525 /lib/template.php | |
| parent | 3ffbaf4795b9ccead2551a3310fcf27b33157bee (diff) | |
| download | nextcloud-server-351d206dd3b30e29c110ac8c519ce85d550ebb8b.tar.gz nextcloud-server-351d206dd3b30e29c110ac8c519ce85d550ebb8b.zip | |
Allow eval() and send headers for legacy browsers
The blocking of eval() seems to have problems with JQuery 1.7.2 - let's allow it for now and disable it in the future.
Diffstat (limited to 'lib/template.php')
| -rw-r--r-- | lib/template.php | 8 |
1 files changed, 6 insertions, 2 deletions
diff --git a/lib/template.php b/lib/template.php index 0780a81e7d1..632268b0023 100644 --- a/lib/template.php +++ b/lib/template.php @@ -189,8 +189,12 @@ class OC_Template{ header('X-Frame-Options: Sameorigin'); // Disallow iFraming from other domains header('X-XSS-Protection: 1; mode=block'); // Enforce browser based XSS filters header('X-Content-Type-Options: nosniff'); // Disable sniffing the content type for IE - header('Content-Security-Policy: default-src \'self\'; style-src \'self\' \'unsafe-inline\'; frame-src *'); - header('X-WebKit-CSP: default-src \'self\'; style-src \'self\' \'unsafe-inline\'; frame-src *'); + + // Content Security Policy + $policy = 'default-src \'self\'; script-src \'self\' \'unsafe-eval\'; style-src \'self\' \'unsafe-inline\'; frame-src *'; + header('Content-Security-Policy:'.$policy); // Standard + header('X-WebKit-CSP:'.$policy); // Older webkit browsers + header('X-Content-Security-Policy:'.$policy); // Mozilla + Internet Explorer $this->findTemplate($name); } |