From 9163790b7cc3c566c3d203205359da93e31bb133 Mon Sep 17 00:00:00 2001 From: Roeland Jago Douma Date: Tue, 17 Nov 2020 16:19:03 +0100 Subject: Set frame-ancestors to none if none are filled frame-ancestors doesn't fall back to default-src. So when we apply a very restricted CSP we should make sure to set it to 'none' and not leave it empty. Signed-off-by: Roeland Jago Douma --- tests/lib/AppFramework/Http/DataResponseTest.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'tests/lib/AppFramework/Http/DataResponseTest.php') diff --git a/tests/lib/AppFramework/Http/DataResponseTest.php b/tests/lib/AppFramework/Http/DataResponseTest.php index a02cee67d31..889372775d6 100644 --- a/tests/lib/AppFramework/Http/DataResponseTest.php +++ b/tests/lib/AppFramework/Http/DataResponseTest.php @@ -65,7 +65,7 @@ class DataResponseTest extends \Test\TestCase { $expectedHeaders = [ 'Cache-Control' => 'no-cache, no-store, must-revalidate', - 'Content-Security-Policy' => "default-src 'none';base-uri 'none';manifest-src 'self'", + 'Content-Security-Policy' => "default-src 'none';base-uri 'none';manifest-src 'self';frame-ancestors 'none'", 'Feature-Policy' => "autoplay 'none';camera 'none';fullscreen 'none';geolocation 'none';microphone 'none';payment 'none'", 'X-Robots-Tag' => 'none', ]; -- cgit v1.2.3