Do not allow JavaScript "eval" in the public share auth page with Talk

Talk no longer uses JavaScript "eval", so the Content Security Policy can now be configured to prevent its use in the public share authentication page when the password is protected by Talk. Signed-off-by: Daniel Calviño Sánchez <danxuliu@gmail.com>
author: Daniel Calviño Sánchez <danxuliu@gmail.com> 2019-04-10 17:46:19 +0300
committer: Daniel Calviño Sánchez <danxuliu@gmail.com> 2019-04-10 17:46:19 +0300
commit: dfe9e3fb2e063a0cf4ab4849a4329f05cb6255b7 (patch)
tree: 6a6b3eeaef6d4708358032322ef3a1b7fd5c9977 /apps
parent: d1e4d614daa52503b1a0bb5ebcaf6a7d2b33edb7 (diff)
1 files changed, 0 insertions, 2 deletions
diff --git a/apps/files_sharing/lib/Controller/ShareController.php b/apps/files_sharing/lib/Controller/ShareController.php
index 99685f671d3..3bd65cd3974 100644
--- a/apps/files_sharing/lib/Controller/ShareController.php
+++ b/apps/files_sharing/lib/Controller/ShareController.php
@@ -164,7 +164,6 @@ class ShareController extends AuthPublicShareController {
 			$csp = new ContentSecurityPolicy();
 			$csp->addAllowedConnectDomain('*');
 			$csp->addAllowedMediaDomain('blob:');
-			$csp->allowEvalScript(true);
 			$response->setContentSecurityPolicy($csp);
 		}
 
@@ -185,7 +184,6 @@ class ShareController extends AuthPublicShareController {
 			$csp = new ContentSecurityPolicy();
 			$csp->addAllowedConnectDomain('*');
 			$csp->addAllowedMediaDomain('blob:');
-			$csp->allowEvalScript(true);
 			$response->setContentSecurityPolicy($csp);
 		}
author	Daniel Calviño Sánchez <danxuliu@gmail.com>	2019-04-10 17:46:19 +0300
committer	Daniel Calviño Sánchez <danxuliu@gmail.com>	2019-04-10 17:46:19 +0300
commit	dfe9e3fb2e063a0cf4ab4849a4329f05cb6255b7 (patch)
tree	6a6b3eeaef6d4708358032322ef3a1b7fd5c9977 /apps
parent	d1e4d614daa52503b1a0bb5ebcaf6a7d2b33edb7 (diff)