Always set self/blob csp when displaying attachments

Signed-off-by: Julius Härtl <jus@bitgrid.net>
2020-04-21 12:29:35 +02:00
parent 00d2278513
commit 76a1cc0618
2 changed files with 17 additions and 9 deletions
--- a/tests/unit/Service/FileServiceTest.php
+++ b/tests/unit/Service/FileServiceTest.php
@@ -272,7 +272,12 @@ class FileServiceTest extends TestCase {
 		$expected = new StreamResponse('fileresource');
 		$expected->addHeader('Content-Type', 'image/jpeg');
 		$expected->addHeader('Content-Disposition', 'inline; filename="' . rawurldecode($file->getName()) . '"');
-
+		$policy = new ContentSecurityPolicy();
+		$policy->addAllowedObjectDomain('\'self\'');
+		$policy->addAllowedObjectDomain('blob:');
+		$policy->addAllowedMediaDomain('\'self\'');
+		$policy->addAllowedMediaDomain('blob:');
+		$expected->setContentSecurityPolicy($policy);
 		$this->assertEquals($expected, $actual);
 	}

@@ -305,6 +310,8 @@ class FileServiceTest extends TestCase {
 		$policy = new ContentSecurityPolicy();
 		$policy->addAllowedObjectDomain('\'self\'');
 		$policy->addAllowedObjectDomain('blob:');
+		$policy->addAllowedMediaDomain('\'self\'');
+		$policy->addAllowedMediaDomain('blob:');
 		$expected->setContentSecurityPolicy($policy);
 		$this->assertEquals($expected, $actual);
 	}