Employ a stricter Content Security Policy on remote.php
Items sent by remote.php have not to be interpreted by browsers in any way.
This commit is contained in:
Lukas Reschke
@@ -108,6 +108,11 @@ function resolveService($service) {
|
||||
try {
|
||||
require_once 'lib/base.php';
|
||||
|
||||
// All resources served via the DAV endpoint should have the strictest possible
|
||||
// policy. Exempted from this is the SabreDAV browser plugin which overwrites
|
||||
// this policy with a softer one if debug mode is enabled.
|
||||
header("Content-Security-Policy: default-src 'none';");
|
||||
|
||||
if (\OCP\Util::needUpgrade()) {
|
||||
// since the behavior of apps or remotes are unpredictable during
|
||||
// an upgrade, return a 503 directly
|
||||
|
||||
Reference in New Issue
Block a user