mirror of
https://github.com/opencloud-eu/opencloud.git
synced 2026-02-05 03:30:19 -06:00
fix: CSP frame-src to enable PDF viewing (#9313)
This commit is contained in:
Thomas Müller
@@ -5,4 +5,5 @@ General hardening of oCIS
|
||||
https://github.com/owncloud/ocis/pull/8777
|
||||
https://github.com/owncloud/ocis/pull/9025
|
||||
https://github.com/owncloud/ocis/pull/9167
|
||||
https://github.com/owncloud/ocis/pull/9313
|
||||
|
||||
|
||||
@@ -13,6 +13,7 @@ directives:
|
||||
- '''none'''
|
||||
frame-src:
|
||||
- '''self'''
|
||||
- 'blob:'
|
||||
- 'https://embed.diagrams.net/'
|
||||
img-src:
|
||||
- '''self'''
|
||||
|
||||
@@ -11,6 +11,7 @@ directives:
|
||||
- '''self'''
|
||||
frame-src:
|
||||
- '''self'''
|
||||
- 'blob:'
|
||||
- 'https://embed.diagrams.net/'
|
||||
img-src:
|
||||
- '''self'''
|
||||
|
||||
@@ -271,7 +271,7 @@ Feature: download file
|
||||
And the following headers should be set
|
||||
| header | value |
|
||||
| Content-Disposition | attachment; filename*=UTF-8''"<file-name>"; filename="<file-name>" |
|
||||
| Content-Security-Policy | child-src 'self'; connect-src 'self'; default-src 'none'; font-src 'self'; frame-ancestors 'self'; frame-src 'self' https://embed.diagrams.net/; img-src 'self' data: blob:; manifest-src 'self'; media-src 'self'; object-src 'self' blob:; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline' |
|
||||
| Content-Security-Policy | child-src 'self'; connect-src 'self'; default-src 'none'; font-src 'self'; frame-ancestors 'self'; frame-src 'self' blob: https://embed.diagrams.net/; img-src 'self' data: blob:; manifest-src 'self'; media-src 'self'; object-src 'self' blob:; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline' |
|
||||
| X-Content-Type-Options | nosniff |
|
||||
| X-Download-Options | noopen |
|
||||
| X-Frame-Options | SAMEORIGIN |
|
||||
@@ -300,7 +300,7 @@ Feature: download file
|
||||
And the following headers should be set
|
||||
| header | value |
|
||||
| Content-Disposition | attachment; filename*=UTF-8''""quote"double".txt"; filename=""quote"double".txt" |
|
||||
| Content-Security-Policy | child-src 'self'; connect-src 'self'; default-src 'none'; font-src 'self'; frame-ancestors 'self'; frame-src 'self' https://embed.diagrams.net/; img-src 'self' data: blob:; manifest-src 'self'; media-src 'self'; object-src 'self' blob:; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline' |
|
||||
| Content-Security-Policy | child-src 'self'; connect-src 'self'; default-src 'none'; font-src 'self'; frame-ancestors 'self'; frame-src 'self' blob: https://embed.diagrams.net/; img-src 'self' data: blob:; manifest-src 'self'; media-src 'self'; object-src 'self' blob:; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline' |
|
||||
| X-Content-Type-Options | nosniff |
|
||||
| X-Download-Options | noopen |
|
||||
| X-Frame-Options | SAMEORIGIN |
|
||||
|
||||
@@ -132,7 +132,7 @@ Feature: download file
|
||||
Then the following headers should be set
|
||||
| header | value |
|
||||
| Content-Disposition | attachment; filename*=UTF-8''textfile.txt; filename="textfile.txt" |
|
||||
| Content-Security-Policy | child-src 'self'; connect-src 'self'; default-src 'none'; font-src 'self'; frame-ancestors 'self'; frame-src 'self' https://embed.diagrams.net/; img-src 'self' data: blob:; manifest-src 'self'; media-src 'self'; object-src 'self' blob:; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline' |
|
||||
| Content-Security-Policy | child-src 'self'; connect-src 'self'; default-src 'none'; font-src 'self'; frame-ancestors 'self'; frame-src 'self' blob: https://embed.diagrams.net/; img-src 'self' data: blob:; manifest-src 'self'; media-src 'self'; object-src 'self' blob:; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline' |
|
||||
| X-Content-Type-Options | nosniff |
|
||||
| X-Download-Options | noopen |
|
||||
| X-Frame-Options | SAMEORIGIN |
|
||||
|
||||
Reference in New Issue
Block a user