From dfe9e3fb2e063a0cf4ab4849a4329f05cb6255b7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20Calvi=C3=B1o=20S=C3=A1nchez?= <danxuliu@gmail.com>
Date: Wed, 10 Apr 2019 16:46:19 +0200
Subject: [PATCH] Do not allow JavaScript "eval" in the public share auth page
 with Talk
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Talk no longer uses JavaScript "eval", so the Content Security Policy
can now be configured to prevent its use in the public share
authentication page when the password is protected by Talk.

Signed-off-by: Daniel Calviño Sánchez <danxuliu@gmail.com>
---
 apps/files_sharing/lib/Controller/ShareController.php | 2 --
 1 file changed, 2 deletions(-)

diff --git a/apps/files_sharing/lib/Controller/ShareController.php b/apps/files_sharing/lib/Controller/ShareController.php
index 99685f671d3..3bd65cd3974 100644
--- a/apps/files_sharing/lib/Controller/ShareController.php
+++ b/apps/files_sharing/lib/Controller/ShareController.php
@@ -164,7 +164,6 @@ class ShareController extends AuthPublicShareController {
 			$csp = new ContentSecurityPolicy();
 			$csp->addAllowedConnectDomain('*');
 			$csp->addAllowedMediaDomain('blob:');
-			$csp->allowEvalScript(true);
 			$response->setContentSecurityPolicy($csp);
 		}
 
@@ -185,7 +184,6 @@ class ShareController extends AuthPublicShareController {
 			$csp = new ContentSecurityPolicy();
 			$csp->addAllowedConnectDomain('*');
 			$csp->addAllowedMediaDomain('blob:');
-			$csp->allowEvalScript(true);
 			$response->setContentSecurityPolicy($csp);
 		}
 
-- 
GitLab