upstream/nextcloud
1
0
Fork 0
mirror of https://github.com/nextcloud/server.git synced 2026-05-28 04:32:30 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 54

Allow eval() and send headers for legacy browsers

Browse source 
The blocking of eval() seems to have problems with JQuery 1.7.2 - let's allow it for now and disable it in the future.
This commit is contained in:
Lukas Reschke 2013-01-22 08:09:01 +01:00
parent 3ffbaf4795
commit 351d206dd3
1 changed files with 6 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
lib/template.php
View file

@ -189,8 +189,12 @@ class OC_Template{
header('X-Frame-Options: Sameorigin'); // Disallow iFraming from other domains
header('X-XSS-Protection: 1; mode=block'); // Enforce browser based XSS filters
header('X-Content-Type-Options: nosniff'); // Disable sniffing the content type for IE
header('Content-Security-Policy: default-src \'self\'; style-src \'self\' \'unsafe-inline\'; frame-src *');
header('X-WebKit-CSP: default-src \'self\'; style-src \'self\' \'unsafe-inline\'; frame-src *');
// Content Security Policy
$policy = 'default-src \'self\'; script-src \'self\' \'unsafe-eval\'; style-src \'self\' \'unsafe-inline\'; frame-src *';
header('Content-Security-Policy:'.$policy); // Standard
header('X-WebKit-CSP:'.$policy); // Older webkit browsers
header('X-Content-Security-Policy:'.$policy); // Mozilla + Internet Explorer
$this->findTemplate($name);
}