Add custom CSP for Win 10 compatibility

The default content-security-policy of ownCloud forbids inline JavaScript for security reasons. IE starting on Windows 10 will however also obey the CSP which will break the event source fallback. As a workaround thus we set a custom policy which allows the execution of inline JavaScript. This fixes #14286
owncloud · Sep 10, 2015 · 4d1b898 · 4d1b898
1 parent 8d800e9
commit 4d1b898
Showing 1 changed file with 11 additions and 0 deletions.
diff --git a/lib/private/eventsource.php b/lib/private/eventsource.php
@@ -59,6 +59,17 @@ protected function init() {
 		$this->fallback = isset($_GET['fallback']) and $_GET['fallback'] == 'true';
 		if ($this->fallback) {
 			$this->fallBackId = (int)$_GET['fallback_id'];
+			/**
+			 * FIXME: The default content-security-policy of ownCloud forbids inline
+			 * JavaScript for security reasons. IE starting on Windows 10 will
+			 * however also obey the CSP which will break the event source fallback.
+			 *
+			 * As a workaround thus we set a custom policy which allows the execution
+			 * of inline JavaScript.
+			 *
+			 * @link https://github.com/owncloud/core/issues/14286
+			 */
+			header("Content-Security-Policy: default-src 'none'; script-src 'unsafe-inline'");
 			header("Content-Type: text/html");
 			echo str_repeat('<span></span>' . PHP_EOL, 10); //dummy data to keep IE happy
 		} else {