diff options
| -rw-r--r-- | config/config.sample.php | 3 | ||||
| -rw-r--r-- | lib/template.php | 2 |
2 files changed, 4 insertions, 1 deletions
diff --git a/config/config.sample.php b/config/config.sample.php index dafb536fa6f..18b7532e8fb 100644 --- a/config/config.sample.php +++ b/config/config.sample.php @@ -104,6 +104,9 @@ $CONFIG = array( /* Lifetime of the remember login cookie, default is 15 days */ "remember_login_cookie_lifetime" => 60*60*24*15, +/* Custom CSP policy, changing this will overwrite the standard policy */ +"custom_csp_policy" => "default-src \'self\'; script-src \'self\' \'unsafe-eval\'; style-src \'self\' \'unsafe-inline\'; frame-src *", + /* The directory where the user data is stored, default to data in the owncloud * directory. The sqlite database is also stored here, when sqlite is used. */ diff --git a/lib/template.php b/lib/template.php index 632268b0023..96ca2c8afb3 100644 --- a/lib/template.php +++ b/lib/template.php @@ -191,7 +191,7 @@ class OC_Template{ header('X-Content-Type-Options: nosniff'); // Disable sniffing the content type for IE // Content Security Policy - $policy = 'default-src \'self\'; script-src \'self\' \'unsafe-eval\'; style-src \'self\' \'unsafe-inline\'; frame-src *'; + $policy = OC_Config::getValue('custom_csp_policy', 'default-src \'self\'; script-src \'self\' \'unsafe-eval\'; style-src \'self\' \'unsafe-inline\'; frame-src *'); header('Content-Security-Policy:'.$policy); // Standard header('X-WebKit-CSP:'.$policy); // Older webkit browsers header('X-Content-Security-Policy:'.$policy); // Mozilla + Internet Explorer |