Do not allow JavaScript "eval" in the public share auth page with Talk

Talk no longer uses JavaScript "eval", so the Content Security Policy can now be configured to prevent its use in the public share authentication page when the password is protected by Talk. Signed-off-by: Daniel Calviño Sánchez <danxuliu@gmail.com>
7 years ago · dfe9e3fb2e
1 changed files with 0 additions and 2 deletions
--- a/apps/files_sharing/lib/Controller/ShareController.php
+++ b/apps/files_sharing/lib/Controller/ShareController.php
@ -164,7 +164,6 @@ class ShareController extends AuthPublicShareController {
 			$csp = new ContentSecurityPolicy();
 			$csp->addAllowedConnectDomain('*');
 			$csp->addAllowedMediaDomain('blob:');
-			$csp->allowEvalScript(true);
 			$response->setContentSecurityPolicy($csp);
 		}

@ -185,7 +184,6 @@ class ShareController extends AuthPublicShareController {
 			$csp = new ContentSecurityPolicy();
 			$csp->addAllowedConnectDomain('*');
 			$csp->addAllowedMediaDomain('blob:');
-			$csp->allowEvalScript(true);
 			$response->setContentSecurityPolicy($csp);
 		}