fix: token refresh in single binary and wopi deployment example (#9167)

2026-02-05 03:30:19 -06:00 · 2024-05-16 18:20:18 +02:00
parent e80d06f266
commit 9bc958e8be
5 changed files with 8 additions and 5 deletions
--- a/changelog/unreleased/csp.md
+++ b/changelog/unreleased/csp.md
@@ -3,3 +3,6 @@ Enhancement: Add CSP and other security related headers to oCIS
 General hardening of oCIS

 https://github.com/owncloud/ocis/pull/8777
+https://github.com/owncloud/ocis/pull/9025
+https://github.com/owncloud/ocis/pull/9167
+
--- a/deployments/examples/ocis_wopi/config/ocis/csp.yaml
+++ b/deployments/examples/ocis_wopi/config/ocis/csp.yaml
@@ -8,7 +8,7 @@ directives:
  font-src:
    - '''self'''
  frame-ancestors:
-    - '''none'''
+    - '''self'''
  frame-src:
    - '''self'''
    - 'https://embed.diagrams.net/'
--- a/services/proxy/pkg/config/csp.yaml
+++ b/services/proxy/pkg/config/csp.yaml
@@ -8,7 +8,7 @@ directives:
  font-src:
    - '''self'''
  frame-ancestors:
-    - '''none'''
+    - '''self'''
  frame-src:
    - '''self'''
    - 'https://embed.diagrams.net/'
--- a/tests/acceptance/features/coreApiWebdavOperations/downloadFile.feature
+++ b/tests/acceptance/features/coreApiWebdavOperations/downloadFile.feature
@@ -271,7 +271,7 @@ Feature: download file
    And the following headers should be set
      | header                            | value                                                              |
      | Content-Disposition               | attachment; filename*=UTF-8''"<file-name>"; filename="<file-name>" |
-      | Content-Security-Policy           | child-src 'self'; connect-src 'self'; default-src 'none'; font-src 'self'; frame-ancestors 'none'; frame-src 'self' https://embed.diagrams.net/; img-src 'self' data: blob:; manifest-src 'self'; media-src 'self'; object-src 'self' blob:; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'                                                |
+      | Content-Security-Policy           | child-src 'self'; connect-src 'self'; default-src 'none'; font-src 'self'; frame-ancestors 'self'; frame-src 'self' https://embed.diagrams.net/; img-src 'self' data: blob:; manifest-src 'self'; media-src 'self'; object-src 'self' blob:; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'                                                |
      | X-Content-Type-Options            | nosniff                                                            |
      | X-Download-Options                | noopen                                                             |
      | X-Frame-Options                   | SAMEORIGIN                                                         |
@@ -300,7 +300,7 @@ Feature: download file
    And the following headers should be set
      | header                            | value                                                                            |
      | Content-Disposition               | attachment; filename*=UTF-8''""quote"double".txt"; filename=""quote"double".txt" |
-      | Content-Security-Policy           | child-src 'self'; connect-src 'self'; default-src 'none'; font-src 'self'; frame-ancestors 'none'; frame-src 'self' https://embed.diagrams.net/; img-src 'self' data: blob:; manifest-src 'self'; media-src 'self'; object-src 'self' blob:; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'                                                              |
+      | Content-Security-Policy           | child-src 'self'; connect-src 'self'; default-src 'none'; font-src 'self'; frame-ancestors 'self'; frame-src 'self' https://embed.diagrams.net/; img-src 'self' data: blob:; manifest-src 'self'; media-src 'self'; object-src 'self' blob:; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'                                                              |
      | X-Content-Type-Options            | nosniff                                                                          |
      | X-Download-Options                | noopen                                                                           |
      | X-Frame-Options                   | SAMEORIGIN                                                                       |
--- a/tests/parallelDeployAcceptance/features/apiWebdavOperations/downloadFile.feature
+++ b/tests/parallelDeployAcceptance/features/apiWebdavOperations/downloadFile.feature
@@ -132,7 +132,7 @@ Feature: download file
    Then the following headers should be set
      | header                            | value                                                              |
      | Content-Disposition               | attachment; filename*=UTF-8''textfile.txt; filename="textfile.txt" |
-      | Content-Security-Policy           | child-src 'self'; connect-src 'self'; default-src 'none'; font-src 'self'; frame-ancestors 'none'; frame-src 'self' https://embed.diagrams.net/; img-src 'self' data: blob:; manifest-src 'self'; media-src 'self'; object-src 'self' blob:; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'                                                |
+      | Content-Security-Policy           | child-src 'self'; connect-src 'self'; default-src 'none'; font-src 'self'; frame-ancestors 'self'; frame-src 'self' https://embed.diagrams.net/; img-src 'self' data: blob:; manifest-src 'self'; media-src 'self'; object-src 'self' blob:; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'                                                |
      | X-Content-Type-Options            | nosniff                                                            |
      | X-Download-Options                | noopen                                                             |
      | X-Frame-Options                   | SAMEORIGIN                                                         |