Disallow unsafe-eval by default

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
author: Roeland Jago Douma <roeland@famdouma.nl> 2018-09-03 15:28:37 +0200
committer: Roeland Jago Douma <roeland@famdouma.nl> 2018-10-14 20:45:34 +0200
commit: 5b61ef9213df0ff67ebd5b9c88a8e1562f367351 (patch)
tree: 19543e649aec57ce289ea47fb3cd8d3121fc6557 /lib
parent: 0fca815b4dd601381a909656a1e3e7a7e89714d2 (diff)
download: nextcloud-server-5b61ef9213df0ff67ebd5b9c88a8e1562f367351.tar.gz
nextcloud-server-5b61ef9213df0ff67ebd5b9c88a8e1562f367351.zip
1 files changed, 2 insertions, 6 deletions
diff --git a/lib/public/AppFramework/Http/ContentSecurityPolicy.php b/lib/public/AppFramework/Http/ContentSecurityPolicy.php
index 3445e8f8802..02a52c6c49d 100644
--- a/lib/public/AppFramework/Http/ContentSecurityPolicy.php
+++ b/lib/public/AppFramework/Http/ContentSecurityPolicy.php
@@ -44,12 +44,8 @@ namespace OCP\AppFramework\Http;
 class ContentSecurityPolicy extends EmptyContentSecurityPolicy {
 	/** @var bool Whether inline JS snippets are allowed */
 	protected $inlineScriptAllowed = false;
-	/**
-	 * @var bool Whether eval in JS scripts is allowed
-	 * TODO: Disallow per default
-	 * @link https://github.com/owncloud/core/issues/11925
-	 */
-	protected $evalScriptAllowed = true;
+	/** @var bool Whether eval in JS scripts is allowed */
+	protected $evalScriptAllowed = false;
 	/** @var array Domains from which scripts can get loaded */
 	protected $allowedScriptDomains = [
 		'\'self\'',
author	Roeland Jago Douma <roeland@famdouma.nl>	2018-09-03 15:28:37 +0200
committer	Roeland Jago Douma <roeland@famdouma.nl>	2018-10-14 20:45:34 +0200
commit	5b61ef9213df0ff67ebd5b9c88a8e1562f367351 (patch)
tree	19543e649aec57ce289ea47fb3cd8d3121fc6557 /lib
parent	0fca815b4dd601381a909656a1e3e7a7e89714d2 (diff)
download	nextcloud-server-5b61ef9213df0ff67ebd5b9c88a8e1562f367351.tar.gz nextcloud-server-5b61ef9213df0ff67ebd5b9c88a8e1562f367351.zip