ahtlon/deck
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 1 Wiki Activity

Always set self/blob csp when displaying attachments

Browse Source 
Signed-off-by: Julius Härtl <jus@bitgrid.net>
This commit is contained in:
Julius Härtl
2020-04-21 12:29:35 +02:00
parent 00d2278513
commit 76a1cc0618
2 changed files with 17 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
lib/Service/FileService.php
View File

@@ -236,14 +236,15 @@ class FileService implements IAttachmentService {
} else {
$response = new FileDisplayResponse($file);
}
if ($file->getMimeType() === 'application/pdf') {
// We need those since otherwise chrome won't show the PDF file with CSP rule object-src 'none'
// https://bugs.chromium.org/p/chromium/issues/detail?id=271452
$policy = new ContentSecurityPolicy();
$policy->addAllowedObjectDomain('\'self\'');
$policy->addAllowedObjectDomain('blob:');
$response->setContentSecurityPolicy($policy);
}
// We need those since otherwise chrome won't show the PDF file with CSP rule object-src 'none'
// https://bugs.chromium.org/p/chromium/issues/detail?id=271452
$policy = new ContentSecurityPolicy();
$policy->addAllowedObjectDomain('\'self\'');
$policy->addAllowedObjectDomain('blob:');
$policy->addAllowedMediaDomain('\'self\'');
$policy->addAllowedMediaDomain('blob:');
$response->setContentSecurityPolicy($policy);
$response->addHeader('Content-Type', $file->getMimeType());
return $response;
}