From 0517465f4d2d4ebfebfee66cc4c816495a7ebf7a Mon Sep 17 00:00:00 2001
From: Lukas Reschke <lukas@statuscode.ch>
Date: Wed, 23 Jan 2013 13:42:52 +0100
Subject: [PATCH] Allow admins to change the CSP policy in the config file

---
 config/config.sample.php | 3 +++
 lib/template.php         | 2 +-
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/config/config.sample.php b/config/config.sample.php
index dafb536fa6..18b7532e8f 100644
--- a/config/config.sample.php
+++ b/config/config.sample.php
@@ -104,6 +104,9 @@ $CONFIG = array(
 /* Lifetime of the remember login cookie, default is 15 days */
 "remember_login_cookie_lifetime" => 60*60*24*15,
 
+/* Custom CSP policy, changing this will overwrite the standard policy */
+"custom_csp_policy" => "default-src \'self\'; script-src \'self\' \'unsafe-eval\'; style-src \'self\' \'unsafe-inline\'; frame-src *",
+
 /* The directory where the user data is stored, default to data in the owncloud
  * directory. The sqlite database is also stored here, when sqlite is used.
  */
diff --git a/lib/template.php b/lib/template.php
index 632268b002..96ca2c8afb 100644
--- a/lib/template.php
+++ b/lib/template.php
@@ -191,7 +191,7 @@ class OC_Template{
 		header('X-Content-Type-Options: nosniff'); // Disable sniffing the content type for IE
 
 		// Content Security Policy
-		$policy = 'default-src \'self\'; script-src \'self\' \'unsafe-eval\'; style-src \'self\' \'unsafe-inline\'; frame-src *';
+		$policy = OC_Config::getValue('custom_csp_policy',  'default-src \'self\'; script-src \'self\' \'unsafe-eval\'; style-src \'self\' \'unsafe-inline\'; frame-src *');
 		header('Content-Security-Policy:'.$policy); // Standard
 		header('X-WebKit-CSP:'.$policy); // Older webkit browsers
 		header('X-Content-Security-Policy:'.$policy); // Mozilla + Internet Explorer
-- 
GitLab