From af8c1936058bfedfe6ae256cab2a70259f11e044 Mon Sep 17 00:00:00 2001
From: Lukas Reschke <lukas@statuscode.ch>
Date: Sun, 20 Jan 2013 23:30:16 +0100
Subject: [PATCH] Disallow inline JS

---
 lib/template.php | 1 +
 1 file changed, 1 insertion(+)

diff --git a/lib/template.php b/lib/template.php
index 09c2fefd8a..7ac2b321b3 100644
--- a/lib/template.php
+++ b/lib/template.php
@@ -190,6 +190,7 @@ class OC_Template{
 		header('X-XSS-Protection: 1; mode=block'); // Enforce browser based XSS filters
 		header('X-Content-Type-Options: nosniff'); // Disable sniffing the content type for IE
 		header('Content-Security-Policy: default-src \'self\'; script-src \'self\' \'unsafe-inline\'; style-src \'self\' \'unsafe-inline\''); // Disallow external ressources + eval()
+		header('X-WebKit-CSP: default-src \'self\'; style-src \'self\' \'unsafe-inline\'');
 
 		$this->findTemplate($name);
 	}
-- 
GitLab