Add custom CSP for Win 10 compatibility #17791
Conversation
The default content-security-policy of ownCloud forbids inline JavaScript for security reasons. IE starting on Windows 10 will however also obey the CSP which will break the event source fallback. As a workaround thus we set a custom policy which allows the execution of inline JavaScript. This fixes #14286
|
A new inspection was created. |
|
@karlitschek Should get backported to the older releases. Win 10 will add CSP support which makes ownCloud pretty much unusable on newer IEs then as the EventSource is used for some other stuff as well such as the update process and also file listing if I'm not completely wrong. If you agree I will prepare backports for stable7 - stable8.1. |
|
🚀 Test PASSed.🚀 |
|
@LukasReschke Nice. Please backport 👍 |
|
So anybody up to review this since Win 10 has been released? 🙊 To test this access Before the CSP header was: The |
|
@rperezb qa please 🙊 THX a lot |
|
Checking with @bboule for the environment to check this |
|
Ping? 🙊 |
|
Pong? 🙉 |
|
Using edge in windows 10. After accessing the provided url I am getting same headers as before. |
|
Are you sure you read the Content-Security-Policy of the EventSource page? This seems to work fine for me: |
|
I've tried with that /master/ folder in the url and without it, same result in this headers.
|
|
Are you sure the patch is applied? 52328 which has as per the Web UI 52330 as SSH port hasn't.
|
|
Yes, sorry, I patched the wrong server. Now it is working fine |
|
Update is working correctly as well. (without the patch it didn't redirect, not sure if related) 👍 |
…ith-win10 Add custom CSP for Win 10 compatibility
The default content-security-policy of ownCloud forbids inline
JavaScript for security reasons. Edge starting on Windows 10 will
however also obey the CSP which will break the event source fallback.
As a workaround thus we set a custom policy which allows the execution
of inline JavaScript.
This fixes #14286 and is also required for owncloud/gallery#206