Skip to content
Permalink
Browse files

issue: iFrame Single Quotes

It's all about the single quotes baby! Apparently I can't read; the single
quotes are only meant for word options such as `'self'` and `'none'`. When
adding single quotes to the `<host-source>` options it takes them
literally…too literally. For example, if your options are `'localhost:80
localhost:8080 localhost:8000'` then `'localhost:80` and `localhost:8000'` will
be seen as "invalid" due to the single quotes. This removes the single
quotes from every line that sets the CSP so all options are valid. This also
adds single quotes around the `self` option so it stays valid as well.
  • Loading branch information...
JediKev committed Jun 28, 2019
1 parent 9734f95 commit 4b59b4f06bc2221808205dc52f093abe84c8fe9f
Showing with 1 addition and 1 deletion.
  1. +1 −1 include/client/header.inc.php
@@ -6,7 +6,7 @@
$signout_url = ROOT_PATH . "logout.php?auth=".$ost->getLinkToken();
header("Content-Type: text/html; charset=UTF-8");
header("Content-Security-Policy: frame-ancestors '".$cfg->getAllowIframes()."';");
header("Content-Security-Policy: frame-ancestors ".$cfg->getAllowIframes().";");
if (($lang = Internationalization::getCurrentLanguage())) {
$langs = array_unique(array($lang, $cfg->getPrimaryLanguage()));

0 comments on commit 4b59b4f

Please sign in to comment.
You can’t perform that action at this time.