diff options
| author | Roeland Jago Douma <roeland@famdouma.nl> | 2018-09-03 15:28:37 +0200 |
|---|---|---|
| committer | Roeland Jago Douma <roeland@famdouma.nl> | 2018-10-14 20:45:34 +0200 |
| commit | 5b61ef9213df0ff67ebd5b9c88a8e1562f367351 (patch) | |
| tree | 19543e649aec57ce289ea47fb3cd8d3121fc6557 /tests/lib/AppFramework/Http/ResponseTest.php | |
| parent | 0fca815b4dd601381a909656a1e3e7a7e89714d2 (diff) | |
| download | nextcloud-server-5b61ef9213df0ff67ebd5b9c88a8e1562f367351.tar.gz nextcloud-server-5b61ef9213df0ff67ebd5b9c88a8e1562f367351.zip | |
Disallow unsafe-eval by default
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
Diffstat (limited to 'tests/lib/AppFramework/Http/ResponseTest.php')
| -rw-r--r-- | tests/lib/AppFramework/Http/ResponseTest.php | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/tests/lib/AppFramework/Http/ResponseTest.php b/tests/lib/AppFramework/Http/ResponseTest.php index 5c867388369..61cfe2cabdc 100644 --- a/tests/lib/AppFramework/Http/ResponseTest.php +++ b/tests/lib/AppFramework/Http/ResponseTest.php @@ -59,14 +59,14 @@ class ResponseTest extends \Test\TestCase { $this->childResponse->setHeaders($expected); $headers = $this->childResponse->getHeaders(); - $expected['Content-Security-Policy'] = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self'"; + $expected['Content-Security-Policy'] = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self'"; $this->assertEquals($expected, $headers); } public function testOverwriteCsp() { $expected = [ - 'Content-Security-Policy' => "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self' 'unsafe-inline' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self';font-src 'self';connect-src 'self';media-src 'self'", + 'Content-Security-Policy' => "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self' 'unsafe-inline';style-src 'self' 'unsafe-inline';img-src 'self';font-src 'self';connect-src 'self';media-src 'self'", ]; $policy = new Http\ContentSecurityPolicy(); $policy->allowInlineScript(true); |