Change csp

- Add allowinline = False - Add scriptdomains
nextmcloud · Jun 7, 2023 · 5d906d2 · 5d906d2
1 parent 7928f7c
commit 5d906d2
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 5 deletions.
diff --git a/lib/AppConfig.php b/lib/AppConfig.php
@@ -34,5 +34,4 @@ public function getTrustedFontUrls(){
 	public function getTrustedImageUrls(){
 		return $this->config->getSystemValue('trusted_image_urls');
 	}
-
 }
diff --git a/lib/Listener/CSPListener.php b/lib/Listener/CSPListener.php
@@ -32,15 +32,18 @@ public function handle(Event $event): void {
 		}
 
 		$policy = new EmptyContentSecurityPolicy();
+        $policy->allowInlineScript(false);
 		$policy->useStrictDynamic(true);
 
-		$trustedImageUrls= $this->config->getTrustedFontUrls();
-		foreach ($trustedImageUrls as $trusted_url) {
+		foreach ($this->config->getSystemValue('trusted_script_urls') as $trusted_url) {
+			$policy->addAllowedScriptDomain($trusted_url);
+		}
+
+		foreach ($this->config->getTrustedFontUrls() as $trusted_url) {
 			$policy->addAllowedFontDomain($trusted_url);
 		}
 
-		$trustedFontUrls = $this->config->getTrustedImageUrls();
-		foreach ($trustedFontUrls as $image_url) {
+		foreach ($this->config->getTrustedImageUrls() as $image_url) {
 			$policy->addAllowedImageDomain($image_url);
 		}
 		$event->addPolicy($policy);
-Original file line number
+Diff line change
@@ Expand Up / @@ -34,5 +34,4 @@ public function getTrustedFontUrls(){ @@
     	public function getTrustedImageUrls(){
     		return $this->config->getSystemValue('trusted_image_urls');
     	}
     }