Move to stricter CSP

Do not allow unsafe eval by default.

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>

lib/private/AppFramework/Middleware/Security/SecurityMiddleware.php

@@ -45,6 +45,7 @@
 use OCP\AppFramework\Http\ContentSecurityPolicy;
 use OCP\AppFramework\Http\EmptyContentSecurityPolicy;
 use OCP\AppFramework\Http\RedirectResponse;
+use OCP\AppFramework\Http\StrictEvalContentSecurityPolicy;
 use OCP\AppFramework\Http\TemplateResponse;
 use OCP\AppFramework\Middleware;
 use OCP\AppFramework\Http\Response;
@@ -202,7 +203,7 @@ public function beforeController($controller, $methodName) {
 	 * @return Response
 	 */
 	public function afterController($controller, $methodName, Response $response): Response {
-		$policy = !is_null($response->getContentSecurityPolicy()) ? $response->getContentSecurityPolicy() : new ContentSecurityPolicy();
+		$policy = !is_null($response->getContentSecurityPolicy()) ? $response->getContentSecurityPolicy() : new StrictEvalContentSecurityPolicy();
 
 		if (get_class($policy) === EmptyContentSecurityPolicy::class) {
 			return $response;

lib/private/Security/CSP/ContentSecurityPolicy.php

@@ -30,7 +30,7 @@
  *
  * @package OC\Security\CSP
  */
-class ContentSecurityPolicy extends \OCP\AppFramework\Http\ContentSecurityPolicy {
+class ContentSecurityPolicy extends \OCP\AppFramework\Http\StrictEvalContentSecurityPolicy {
 	/**
 	 * @return boolean
 	 */

lib/public/AppFramework/Http/Response.php

@@ -230,7 +230,7 @@ public function getHeaders() {
 
 		// Build Content-Security-Policy and use default if none has been specified
 		if(is_null($this->contentSecurityPolicy)) {
-			$this->setContentSecurityPolicy(new ContentSecurityPolicy());
+			$this->setContentSecurityPolicy(new StrictEvalContentSecurityPolicy());
 		}
 		$this->headers['Content-Security-Policy'] = $this->contentSecurityPolicy->buildPolicy();