Add base-uri to CSP policy

As per https://twitter.com/we1x/status/842032709543333890 a nice security hardening Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
author: Lukas Reschke <lukas@statuscode.ch> 2017-03-16 15:16:20 +0100
committer: Lukas Reschke <lukas@statuscode.ch> 2017-03-16 15:16:20 +0100
commit: adfd1e63f67a49e69d0c7949b8b06ad7662f6a85 (patch)
tree: 8907c3fbf72f18c9f64f3951b1174d4386d5bd59 /lib
parent: 793d7d1bd75ef1e35cc29aef5ac03dc95aa248bb (diff)
download: nextcloud-server-adfd1e63f67a49e69d0c7949b8b06ad7662f6a85.tar.gz
nextcloud-server-adfd1e63f67a49e69d0c7949b8b06ad7662f6a85.zip
1 files changed, 1 insertions, 0 deletions
diff --git a/lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php b/lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php
index 90ba47a2f3f..c53b5b2146c 100644
--- a/lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php
+++ b/lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php
@@ -335,6 +335,7 @@ class EmptyContentSecurityPolicy {
 	 */
 	public function buildPolicy() {
 		$policy = "default-src 'none';";
+		$policy .= "base-uri 'none';";
 
 		if(!empty($this->allowedScriptDomains) || $this->inlineScriptAllowed || $this->evalScriptAllowed) {
 			$policy .= 'script-src ';
author	Lukas Reschke <lukas@statuscode.ch>	2017-03-16 15:16:20 +0100
committer	Lukas Reschke <lukas@statuscode.ch>	2017-03-16 15:16:20 +0100
commit	adfd1e63f67a49e69d0c7949b8b06ad7662f6a85 (patch)
tree	8907c3fbf72f18c9f64f3951b1174d4386d5bd59 /lib
parent	793d7d1bd75ef1e35cc29aef5ac03dc95aa248bb (diff)
download	nextcloud-server-adfd1e63f67a49e69d0c7949b8b06ad7662f6a85.tar.gz nextcloud-server-adfd1e63f67a49e69d0c7949b8b06ad7662f6a85.zip