From adfd1e63f67a49e69d0c7949b8b06ad7662f6a85 Mon Sep 17 00:00:00 2001
From: Lukas Reschke <lukas@statuscode.ch>
Date: Thu, 16 Mar 2017 15:16:20 +0100
Subject: Add base-uri to CSP policy

As per https://twitter.com/we1x/status/842032709543333890 a nice security hardening

Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
---
 lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php | 1 +
 1 file changed, 1 insertion(+)

(limited to 'lib/public')

diff --git a/lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php b/lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php
index 90ba47a2f3f..c53b5b2146c 100644
--- a/lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php
+++ b/lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php
@@ -335,6 +335,7 @@ class EmptyContentSecurityPolicy {
 	 */
 	public function buildPolicy() {
 		$policy = "default-src 'none';";
+		$policy .= "base-uri 'none';";
 
 		if(!empty($this->allowedScriptDomains) || $this->inlineScriptAllowed || $this->evalScriptAllowed) {
 			$policy .= 'script-src ';
-- 
cgit v1.2.3