Forbid eval on legacy responses

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2019-04-09 09:49:33 +02:00 · 2019-04-09 09:49:33 +02:00 · 3b1e16458d
parent 5d360bd16f
commit 3b1e16458d
1 changed files with 1 additions and 1 deletions
--- a/lib/private/legacy/response.php
+++ b/lib/private/legacy/response.php
@ -84,7 +84,7 @@ class OC_Response {
 		 * @see \OCP\AppFramework\Http\Response::getHeaders
 		 */
 		$policy = 'default-src \'self\'; '
-			. 'script-src \'self\' \'unsafe-eval\' \'nonce-'.\OC::$server->getContentSecurityPolicyNonceManager()->getNonce().'\'; '
+			. 'script-src \'self\' \'nonce-'.\OC::$server->getContentSecurityPolicyNonceManager()->getNonce().'\'; '
 			. 'style-src \'self\' \'unsafe-inline\'; '
 			. 'frame-src *; '
 			. 'img-src * data: blob:; '