fix!(ContentSecurityPolicy): Make strict-dynamic enabled by default…

… on `script-src-elem` Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
nextcloud · Nov 17, 2023 · c209295 · c209295
1 parent 7df9eb3
commit c209295
Show file tree

Hide file tree

Showing 2 changed files with 74 additions and 77 deletions.
diff --git a/lib/public/AppFramework/Http/ContentSecurityPolicy.php b/lib/public/AppFramework/Http/ContentSecurityPolicy.php
@@ -49,7 +49,7 @@ class ContentSecurityPolicy extends EmptyContentSecurityPolicy {
 	/** @var bool Whether strict-dynamic should be set */
 	protected $strictDynamicAllowed = false;
 	/** @var bool Whether strict-dynamic should be set for 'script-src-elem' */
-	protected $strictDynamicAllowedOnScripts = false;
+	protected $strictDynamicAllowedOnScripts = true;
 	/** @var array Domains from which scripts can get loaded */
 	protected $allowedScriptDomains = [
 		'\'self\'',