wbrawner/server
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Do not allow JavaScript "eval" in the public share auth page with Talk

Browse source 
Talk no longer uses JavaScript "eval", so the Content Security Policy
can now be configured to prevent its use in the public share
authentication page when the password is protected by Talk.

Signed-off-by: Daniel Calviño Sánchez <danxuliu@gmail.com>
This commit is contained in:
Daniel Calviño Sánchez 2019-04-10 16:46:19 +02:00
parent d1e4d614da
commit dfe9e3fb2e
1 changed files with 0 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
apps/files_sharing/lib/Controller/ShareController.php
View file

@ -164,7 +164,6 @@ class ShareController extends AuthPublicShareController {
$csp = new ContentSecurityPolicy();
$csp->addAllowedConnectDomain('*');
$csp->addAllowedMediaDomain('blob:');
$csp->allowEvalScript(true);
$response->setContentSecurityPolicy($csp);
}
@ -185,7 +184,6 @@ class ShareController extends AuthPublicShareController {
$csp = new ContentSecurityPolicy();
$csp->addAllowedConnectDomain('*');
$csp->addAllowedMediaDomain('blob:');
$csp->allowEvalScript(true);
$response->setContentSecurityPolicy($csp);
}