diff --git a/changelog/unreleased/blob-as-connect-src.md b/changelog/unreleased/blob-as-connect-src.md new file mode 100644 index 00000000000..6fefcbf4da2 --- /dev/null +++ b/changelog/unreleased/blob-as-connect-src.md @@ -0,0 +1,5 @@ +Enhancement: Allow blob as connect-src in default CSP + +We added 'blob:' to the default connect-src items in the default CSP rules. + +https://github.com/owncloud/ocis/pull/9993 diff --git a/deployments/examples/ocis_full/config/ocis/csp.yaml b/deployments/examples/ocis_full/config/ocis/csp.yaml index d8615b85a6c..fb46082e7dc 100644 --- a/deployments/examples/ocis_full/config/ocis/csp.yaml +++ b/deployments/examples/ocis_full/config/ocis/csp.yaml @@ -3,6 +3,7 @@ directives: - '''self''' connect-src: - '''self''' + - 'blob:' - 'https://${COMPANION_DOMAIN|companion.owncloud.test}/' - 'wss://${COMPANION_DOMAIN|companion.owncloud.test}/' - 'https://raw.githubusercontent.com/owncloud/awesome-ocis/' diff --git a/deployments/examples/ocis_keycloak/config/ocis/csp.yaml b/deployments/examples/ocis_keycloak/config/ocis/csp.yaml index 2ba7ee24453..bdd0f605723 100644 --- a/deployments/examples/ocis_keycloak/config/ocis/csp.yaml +++ b/deployments/examples/ocis_keycloak/config/ocis/csp.yaml @@ -3,6 +3,7 @@ directives: - '''self''' connect-src: - '''self''' + - 'blob:' - 'https://raw.githubusercontent.com/owncloud/awesome-ocis/' # In contrary to bash and docker the default is given after the | character - 'https://${KEYCLOAK_DOMAIN|keycloak.owncloud.test}/' diff --git a/services/proxy/pkg/config/csp.yaml b/services/proxy/pkg/config/csp.yaml index 58cd0645fe0..7542867caae 100644 --- a/services/proxy/pkg/config/csp.yaml +++ b/services/proxy/pkg/config/csp.yaml @@ -3,6 +3,7 @@ directives: - '''self''' connect-src: - '''self''' + - 'blob:' - 'https://raw.githubusercontent.com/owncloud/awesome-ocis/' default-src: - '''none''' diff --git a/tests/acceptance/features/coreApiWebdavOperations/downloadFile.feature b/tests/acceptance/features/coreApiWebdavOperations/downloadFile.feature index 11b5e1bdde3..7e7c3f058c7 100644 --- a/tests/acceptance/features/coreApiWebdavOperations/downloadFile.feature +++ b/tests/acceptance/features/coreApiWebdavOperations/downloadFile.feature @@ -219,7 +219,7 @@ Feature: download file And the following headers should be set | header | value | | Content-Disposition | attachment; filename*=UTF-8''; filename="" | - | Content-Security-Policy | child-src 'self'; connect-src 'self' https://raw.githubusercontent.com/owncloud/awesome-ocis/; default-src 'none'; font-src 'self'; frame-ancestors 'self'; frame-src 'self' blob: https://embed.diagrams.net/; img-src 'self' data: blob: https://raw.githubusercontent.com/owncloud/awesome-ocis/; manifest-src 'self'; media-src 'self'; object-src 'self' blob:; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline' | + | Content-Security-Policy | child-src 'self'; connect-src 'self' blob: https://raw.githubusercontent.com/owncloud/awesome-ocis/; default-src 'none'; font-src 'self'; frame-ancestors 'self'; frame-src 'self' blob: https://embed.diagrams.net/; img-src 'self' data: blob: https://raw.githubusercontent.com/owncloud/awesome-ocis/; manifest-src 'self'; media-src 'self'; object-src 'self' blob:; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline' | | X-Content-Type-Options | nosniff | | X-Frame-Options | SAMEORIGIN | | X-Permitted-Cross-Domain-Policies | none | @@ -247,7 +247,7 @@ Feature: download file And the following headers should be set | header | value | | Content-Disposition | attachment; filename*=UTF-8''%22quote%22double%22.txt; filename=""quote"double".txt" | - | Content-Security-Policy | child-src 'self'; connect-src 'self' https://raw.githubusercontent.com/owncloud/awesome-ocis/; default-src 'none'; font-src 'self'; frame-ancestors 'self'; frame-src 'self' blob: https://embed.diagrams.net/; img-src 'self' data: blob: https://raw.githubusercontent.com/owncloud/awesome-ocis/; manifest-src 'self'; media-src 'self'; object-src 'self' blob:; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline' | + | Content-Security-Policy | child-src 'self'; connect-src 'self' blob: https://raw.githubusercontent.com/owncloud/awesome-ocis/; default-src 'none'; font-src 'self'; frame-ancestors 'self'; frame-src 'self' blob: https://embed.diagrams.net/; img-src 'self' data: blob: https://raw.githubusercontent.com/owncloud/awesome-ocis/; manifest-src 'self'; media-src 'self'; object-src 'self' blob:; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline' | | X-Content-Type-Options | nosniff | | X-Frame-Options | SAMEORIGIN | | X-Permitted-Cross-Domain-Policies | none |