Always set self/blob csp when displaying attachments

Signed-off-by: Julius Härtl <jus@bitgrid.net>

lib/Service/FileService.php

@@ -236,14 +236,15 @@ class FileService implements IAttachmentService {
 		} else {
 			$response = new FileDisplayResponse($file);
 		}
-		if ($file->getMimeType() === 'application/pdf') {
-			// We need those since otherwise chrome won't show the PDF file with CSP rule object-src 'none'
-			// https://bugs.chromium.org/p/chromium/issues/detail?id=271452
-			$policy = new ContentSecurityPolicy();
-			$policy->addAllowedObjectDomain('\'self\'');
-			$policy->addAllowedObjectDomain('blob:');
-			$response->setContentSecurityPolicy($policy);
-		}
+		// We need those since otherwise chrome won't show the PDF file with CSP rule object-src 'none'
+		// https://bugs.chromium.org/p/chromium/issues/detail?id=271452
+		$policy = new ContentSecurityPolicy();
+		$policy->addAllowedObjectDomain('\'self\'');
+		$policy->addAllowedObjectDomain('blob:');
+		$policy->addAllowedMediaDomain('\'self\'');
+		$policy->addAllowedMediaDomain('blob:');
+		$response->setContentSecurityPolicy($policy);
+
 		$response->addHeader('Content-Type', $file->getMimeType());
 		return $response;
 	}

tests/unit/Service/FileServiceTest.php

@@ -272,7 +272,12 @@ class FileServiceTest extends TestCase {
 		$expected = new StreamResponse('fileresource');
 		$expected->addHeader('Content-Type', 'image/jpeg');
 		$expected->addHeader('Content-Disposition', 'inline; filename="' . rawurldecode($file->getName()) . '"');
-
+		$policy = new ContentSecurityPolicy();
+		$policy->addAllowedObjectDomain('\'self\'');
+		$policy->addAllowedObjectDomain('blob:');
+		$policy->addAllowedMediaDomain('\'self\'');
+		$policy->addAllowedMediaDomain('blob:');
+		$expected->setContentSecurityPolicy($policy);
 		$this->assertEquals($expected, $actual);
 	}
 
@@ -305,6 +310,8 @@ class FileServiceTest extends TestCase {
 		$policy = new ContentSecurityPolicy();
 		$policy->addAllowedObjectDomain('\'self\'');
 		$policy->addAllowedObjectDomain('blob:');
+		$policy->addAllowedMediaDomain('\'self\'');
+		$policy->addAllowedMediaDomain('blob:');
 		$expected->setContentSecurityPolicy($policy);
 		$this->assertEquals($expected, $actual);
 	}