Merge pull request #9993 from owncloud/allow-blob-as-connect-src

Allow blob as connect src

changelog/unreleased/blob-as-connect-src.md

@@ -0,0 +1,5 @@
+Enhancement: Allow blob as connect-src in default CSP
+
+We added 'blob:' to the default connect-src items in the default CSP rules.
+
+https://github.com/owncloud/ocis/pull/9993

deployments/examples/ocis_full/config/ocis/csp.yaml

@@ -3,6 +3,7 @@ directives:
     - '''self'''
   connect-src:
     - '''self'''
+    - 'blob:'
     - 'https://${COMPANION_DOMAIN|companion.owncloud.test}/'
     - 'wss://${COMPANION_DOMAIN|companion.owncloud.test}/'
     - 'https://raw.githubusercontent.com/owncloud/awesome-ocis/'

deployments/examples/ocis_keycloak/config/ocis/csp.yaml

@@ -3,6 +3,7 @@ directives:
     - '''self'''
   connect-src:
     - '''self'''
+    - 'blob:'
     - 'https://raw.githubusercontent.com/owncloud/awesome-ocis/'
     # In contrary to bash and docker the default is given after the | character
     - 'https://${KEYCLOAK_DOMAIN|keycloak.owncloud.test}/'

services/proxy/pkg/config/csp.yaml

@@ -3,6 +3,7 @@ directives:
     - '''self'''
   connect-src:
     - '''self'''
+    - 'blob:'
     - 'https://raw.githubusercontent.com/owncloud/awesome-ocis/'
   default-src:
     - '''none'''

tests/acceptance/features/coreApiWebdavOperations/downloadFile.feature

@@ -219,7 +219,7 @@ Feature: download file
     And the following headers should be set
       | header                            | value                                                                                                                                                                                                                                                                                                                                                                                                                                    |
       | Content-Disposition               | attachment; filename*=UTF-8''<encoded-file-name>; filename="<file-name>"                                                                                                                                                                                                                                                                                                                                                                 |
-      | Content-Security-Policy           | child-src 'self'; connect-src 'self' https://raw.githubusercontent.com/owncloud/awesome-ocis/; default-src 'none'; font-src 'self'; frame-ancestors 'self'; frame-src 'self' blob: https://embed.diagrams.net/; img-src 'self' data: blob: https://raw.githubusercontent.com/owncloud/awesome-ocis/; manifest-src 'self'; media-src 'self'; object-src 'self' blob:; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline' |
+      | Content-Security-Policy           | child-src 'self'; connect-src 'self' blob: https://raw.githubusercontent.com/owncloud/awesome-ocis/; default-src 'none'; font-src 'self'; frame-ancestors 'self'; frame-src 'self' blob: https://embed.diagrams.net/; img-src 'self' data: blob: https://raw.githubusercontent.com/owncloud/awesome-ocis/; manifest-src 'self'; media-src 'self'; object-src 'self' blob:; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline' |
       | X-Content-Type-Options            | nosniff                                                                                                                                                                                                                                                                                                                                                                                                                                  |
       | X-Frame-Options                   | SAMEORIGIN                                                                                                                                                                                                                                                                                                                                                                                                                               |
       | X-Permitted-Cross-Domain-Policies | none                                                                                                                                                                                                                                                                                                                                                                                                                                     |
@@ -247,7 +247,7 @@ Feature: download file
     And the following headers should be set
       | header                            | value                                                                                                                                                                                                                                                                                                                                                                                                                                    |
       | Content-Disposition               | attachment; filename*=UTF-8''%22quote%22double%22.txt; filename=""quote"double".txt"                                                                                                                                                                                                                                                                                                                                                     |
-      | Content-Security-Policy           | child-src 'self'; connect-src 'self' https://raw.githubusercontent.com/owncloud/awesome-ocis/; default-src 'none'; font-src 'self'; frame-ancestors 'self'; frame-src 'self' blob: https://embed.diagrams.net/; img-src 'self' data: blob: https://raw.githubusercontent.com/owncloud/awesome-ocis/; manifest-src 'self'; media-src 'self'; object-src 'self' blob:; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline' |
+      | Content-Security-Policy           | child-src 'self'; connect-src 'self' blob: https://raw.githubusercontent.com/owncloud/awesome-ocis/; default-src 'none'; font-src 'self'; frame-ancestors 'self'; frame-src 'self' blob: https://embed.diagrams.net/; img-src 'self' data: blob: https://raw.githubusercontent.com/owncloud/awesome-ocis/; manifest-src 'self'; media-src 'self'; object-src 'self' blob:; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline' |
       | X-Content-Type-Options            | nosniff                                                                                                                                                                                                                                                                                                                                                                                                                                  |
       | X-Frame-Options                   | SAMEORIGIN                                                                                                                                                                                                                                                                                                                                                                                                                               |
       | X-Permitted-Cross-Domain-Policies | none                                                                                                                                                                                                                                                                                                                                                                                                                                     |