diff options
| author | Lukas Reschke <lukas@owncloud.com> | 2016-04-12 13:30:37 +0200 |
|---|---|---|
| committer | Lukas Reschke <lukas@owncloud.com> | 2016-04-12 13:30:37 +0200 |
| commit | 0cba1ba7f9b40bb2bdf7eb2939702389c646d99a (patch) | |
| tree | c08c4925ed177053ddab073a44221de820a94575 /remote.php | |
| parent | 16df1c5188d5a312ef5db7db427961597fe56ebe (diff) | |
| download | nextcloud-server-0cba1ba7f9b40bb2bdf7eb2939702389c646d99a.tar.gz nextcloud-server-0cba1ba7f9b40bb2bdf7eb2939702389c646d99a.zip | |
Employ a stricter Content Security Policy on remote.php
Items sent by remote.php have not to be interpreted by browsers in any way.
Diffstat (limited to 'remote.php')
| -rw-r--r-- | remote.php | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/remote.php b/remote.php index 86b47629d73..814286860af 100644 --- a/remote.php +++ b/remote.php @@ -108,6 +108,11 @@ function resolveService($service) { try { require_once 'lib/base.php'; + // All resources served via the DAV endpoint should have the strictest possible + // policy. Exempted from this is the SabreDAV browser plugin which overwrites + // this policy with a softer one if debug mode is enabled. + header("Content-Security-Policy: default-src 'none';"); + if (\OCP\Util::needUpgrade()) { // since the behavior of apps or remotes are unpredictable during // an upgrade, return a 503 directly |