From 04dc1076f13567549602802bbf8e931879174353 Mon Sep 17 00:00:00 2001
From: Bernhard Posselt <dev@bernhard-posselt.com>
Date: Thu, 19 Feb 2015 12:23:35 +0100
Subject: fix #734 and set a CSP on master

---
 controller/pagecontroller.php | 17 +++++++++++++++--
 1 file changed, 15 insertions(+), 2 deletions(-)

(limited to 'controller')

diff --git a/controller/pagecontroller.php b/controller/pagecontroller.php
index 346ef61ef..7d754df04 100644
--- a/controller/pagecontroller.php
+++ b/controller/pagecontroller.php
@@ -66,10 +66,23 @@ class PageController extends Controller {
      */
     public function index() {
         $status = $this->statusService->getStatus();
-
-        return new TemplateResponse($this->appName, 'index', [
+        $response = new TemplateResponse($this->appName, 'index', [
             'cronWarning' => $status['warnings']['improperlyConfiguredCron']
         ]);
+
+        // set csp rules for ownCloud 8.1
+        if (class_exists('OCP\AppFramework\Http\ContentSecurityPolicy')) {
+            $csp = new \OCP\AppFramework\Http\ContentSecurityPolicy();
+            $csp->addAllowedImageDomain('*');
+            $csp->addAllowedMediaDomain('*');
+            $csp->addAllowedFrameDomain('https://youtube.com');
+            $csp->addAllowedFrameDomain('https://www.youtube.com');
+            $csp->addAllowedFrameDomain('https://player.vimeo.com');
+            $csp->addAllowedFrameDomain('https://www.player.vimeo.com');
+            $response->setContentSecurityPolicy($csp);
+        }
+
+        return $response;
     }
 
 
-- 
cgit v1.2.3