fix #734 and set a CSP on master

author: Bernhard Posselt <dev@bernhard-posselt.com> 2015-02-19 12:23:35 +0100
committer: Bernhard Posselt <dev@bernhard-posselt.com> 2015-02-19 12:23:44 +0100
commit: 04dc1076f13567549602802bbf8e931879174353 (patch)
tree: 490cab68e0d887e422246cd0351b309c3d9cdefa /controller
parent: 4b6e528a5f0472624644bd812c19af55fea52080 (diff)
1 files changed, 15 insertions, 2 deletions
diff --git a/controller/pagecontroller.php b/controller/pagecontroller.php
index 346ef61ef..7d754df04 100644
--- a/controller/pagecontroller.php
+++ b/controller/pagecontroller.php
@@ -66,10 +66,23 @@ class PageController extends Controller {
      */
     public function index() {
         $status = $this->statusService->getStatus();
-
-        return new TemplateResponse($this->appName, 'index', [
+        $response = new TemplateResponse($this->appName, 'index', [
             'cronWarning' => $status['warnings']['improperlyConfiguredCron']
         ]);
+
+        // set csp rules for ownCloud 8.1
+        if (class_exists('OCP\AppFramework\Http\ContentSecurityPolicy')) {
+            $csp = new \OCP\AppFramework\Http\ContentSecurityPolicy();
+            $csp->addAllowedImageDomain('*');
+            $csp->addAllowedMediaDomain('*');
+            $csp->addAllowedFrameDomain('https://youtube.com');
+            $csp->addAllowedFrameDomain('https://www.youtube.com');
+            $csp->addAllowedFrameDomain('https://player.vimeo.com');
+            $csp->addAllowedFrameDomain('https://www.player.vimeo.com');
+            $response->setContentSecurityPolicy($csp);
+        }
+
+        return $response;
     }
author	Bernhard Posselt <dev@bernhard-posselt.com>	2015-02-19 12:23:35 +0100
committer	Bernhard Posselt <dev@bernhard-posselt.com>	2015-02-19 12:23:44 +0100
commit	04dc1076f13567549602802bbf8e931879174353 (patch)
tree	490cab68e0d887e422246cd0351b309c3d9cdefa /controller
parent	4b6e528a5f0472624644bd812c19af55fea52080 (diff)