From 3a90ab7e0a6e3d99f41c0735b592adff246a9e15 Mon Sep 17 00:00:00 2001
From: Lukas Reschke <lukas@statuscode.ch>
Date: Tue, 28 Mar 2017 23:55:31 +0200
Subject: [PATCH] Update legacy CSP policy

Aligns it with the one enforced by the AppFramework

Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
---
 lib/private/legacy/response.php | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/lib/private/legacy/response.php b/lib/private/legacy/response.php
index 69c84e2df6..d5c9ed78f6 100644
--- a/lib/private/legacy/response.php
+++ b/lib/private/legacy/response.php
@@ -253,7 +253,9 @@ class OC_Response {
 			. 'img-src * data: blob:; '
 			. 'font-src \'self\' data:; '
 			. 'media-src *; ' 
-			. 'connect-src *';
+			. 'connect-src *; '
+			. 'object-src \'none\'; '
+			. 'base-uri \'self\'; ';
 		header('Content-Security-Policy:' . $policy);
 
 		// Send fallback headers for installations that don't have the possibility to send