From 76a1cc06186acbd9304bdf2cc30039996bffab4c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Julius=20H=C3=A4rtl?= <jus@bitgrid.net>
Date: Tue, 21 Apr 2020 12:29:35 +0200
Subject: [PATCH] Always set self/blob csp when displaying attachments
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Julius Härtl <jus@bitgrid.net>
---
 lib/Service/FileService.php            | 17 +++++++++--------
 tests/unit/Service/FileServiceTest.php |  9 ++++++++-
 2 files changed, 17 insertions(+), 9 deletions(-)

diff --git a/lib/Service/FileService.php b/lib/Service/FileService.php
index a669c609a..2112a30f1 100644
--- a/lib/Service/FileService.php
+++ b/lib/Service/FileService.php
@@ -236,14 +236,15 @@ class FileService implements IAttachmentService {
 		} else {
 			$response = new FileDisplayResponse($file);
 		}
-		if ($file->getMimeType() === 'application/pdf') {
-			// We need those since otherwise chrome won't show the PDF file with CSP rule object-src 'none'
-			// https://bugs.chromium.org/p/chromium/issues/detail?id=271452
-			$policy = new ContentSecurityPolicy();
-			$policy->addAllowedObjectDomain('\'self\'');
-			$policy->addAllowedObjectDomain('blob:');
-			$response->setContentSecurityPolicy($policy);
-		}
+		// We need those since otherwise chrome won't show the PDF file with CSP rule object-src 'none'
+		// https://bugs.chromium.org/p/chromium/issues/detail?id=271452
+		$policy = new ContentSecurityPolicy();
+		$policy->addAllowedObjectDomain('\'self\'');
+		$policy->addAllowedObjectDomain('blob:');
+		$policy->addAllowedMediaDomain('\'self\'');
+		$policy->addAllowedMediaDomain('blob:');
+		$response->setContentSecurityPolicy($policy);
+
 		$response->addHeader('Content-Type', $file->getMimeType());
 		return $response;
 	}
diff --git a/tests/unit/Service/FileServiceTest.php b/tests/unit/Service/FileServiceTest.php
index 57dda5722..e8662b775 100644
--- a/tests/unit/Service/FileServiceTest.php
+++ b/tests/unit/Service/FileServiceTest.php
@@ -272,7 +272,12 @@ class FileServiceTest extends TestCase {
 		$expected = new StreamResponse('fileresource');
 		$expected->addHeader('Content-Type', 'image/jpeg');
 		$expected->addHeader('Content-Disposition', 'inline; filename="' . rawurldecode($file->getName()) . '"');
-
+		$policy = new ContentSecurityPolicy();
+		$policy->addAllowedObjectDomain('\'self\'');
+		$policy->addAllowedObjectDomain('blob:');
+		$policy->addAllowedMediaDomain('\'self\'');
+		$policy->addAllowedMediaDomain('blob:');
+		$expected->setContentSecurityPolicy($policy);
 		$this->assertEquals($expected, $actual);
 	}
 
@@ -305,6 +310,8 @@ class FileServiceTest extends TestCase {
 		$policy = new ContentSecurityPolicy();
 		$policy->addAllowedObjectDomain('\'self\'');
 		$policy->addAllowedObjectDomain('blob:');
+		$policy->addAllowedMediaDomain('\'self\'');
+		$policy->addAllowedMediaDomain('blob:');
 		$expected->setContentSecurityPolicy($policy);
 		$this->assertEquals($expected, $actual);
 	}