Merge pull request #4127 from nextcloud/update-legacy-csp-policy

Update legacy CSP policy
2017-03-28 17:47:32 +07:00 · 2017-03-28 17:47:32 +07:00 · dbf6b7ff86
parent 4f09dc71e0 3a90ab7e0a
commit dbf6b7ff86
1 changed files with 3 additions and 1 deletions
--- a/lib/private/legacy/response.php
+++ b/lib/private/legacy/response.php
@ -253,7 +253,9 @@ class OC_Response {
 			. 'img-src * data: blob:; '
 			. 'font-src \'self\' data:; '
 			. 'media-src *; ' 
-			. 'connect-src *';
+			. 'connect-src *; '
+			. 'object-src \'none\'; '
+			. 'base-uri \'self\'; ';
 		header('Content-Security-Policy:' . $policy);
 		header('X-Frame-Options: Sameorigin'); // Disallow iFraming from other domains