From e231abd9bfac66e69db810c986792f9ba1a9d581 Mon Sep 17 00:00:00 2001
From: Ferdinand Thiessen <opensource@fthiessen.de>
Date: Fri, 17 Nov 2023 11:07:35 +0100
Subject: fix!(ContentSecurityPolicy): Make `strict-dynamic` enabled by default
 on `script-src-elem`

Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
---
 lib/public/AppFramework/Http/ContentSecurityPolicy.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'lib/public/AppFramework')

diff --git a/lib/public/AppFramework/Http/ContentSecurityPolicy.php b/lib/public/AppFramework/Http/ContentSecurityPolicy.php
index 386d908ffb6..7f93f7004d9 100644
--- a/lib/public/AppFramework/Http/ContentSecurityPolicy.php
+++ b/lib/public/AppFramework/Http/ContentSecurityPolicy.php
@@ -49,7 +49,7 @@ class ContentSecurityPolicy extends EmptyContentSecurityPolicy {
 	/** @var bool Whether strict-dynamic should be set */
 	protected $strictDynamicAllowed = false;
 	/** @var bool Whether strict-dynamic should be set for 'script-src-elem' */
-	protected $strictDynamicAllowedOnScripts = false;
+	protected $strictDynamicAllowedOnScripts = true;
 	/** @var array Domains from which scripts can get loaded */
 	protected $allowedScriptDomains = [
 		'\'self\'',
-- 
cgit v1.2.3