From 3febeb6ca71421135fd699374f8c979891b68186 Mon Sep 17 00:00:00 2001
From: Joas Schilling <coding@schilljs.com>
Date: Mon, 22 Oct 2018 10:57:55 +0200
Subject: [PATCH] Use lax CSP when the share is a talk share

Signed-off-by: Joas Schilling <coding@schilljs.com>
---
 .../lib/Controller/ShareController.php        | 23 +++++++++++++++++--
 1 file changed, 21 insertions(+), 2 deletions(-)

diff --git a/apps/files_sharing/lib/Controller/ShareController.php b/apps/files_sharing/lib/Controller/ShareController.php
index 8e9cc5a963..409762482d 100644
--- a/apps/files_sharing/lib/Controller/ShareController.php
+++ b/apps/files_sharing/lib/Controller/ShareController.php
@@ -35,6 +35,7 @@
 
 namespace OCA\Files_Sharing\Controller;
 
+use OC\Security\CSP\ContentSecurityPolicy;
 use OC_Files;
 use OC_Util;
 use OCA\FederatedFileSharing\FederatedShareProvider;
@@ -158,7 +159,16 @@ class ShareController extends AuthPublicShareController {
 		$event = new GenericEvent(null, $templateParameters);
 		$this->eventDispatcher->dispatch('OCA\Files_Sharing::loadAdditionalScripts::publicShareAuth', $event);
 
-		return new TemplateResponse('core', 'publicshareauth', $templateParameters, 'guest');
+		$response = new TemplateResponse('core', 'publicshareauth', $templateParameters, 'guest');
+		if ($this->share->getSendPasswordByTalk()) {
+			$csp = new ContentSecurityPolicy();
+			$csp->addAllowedConnectDomain('*');
+			$csp->addAllowedMediaDomain('blob:');
+			$csp->allowEvalScript(true);
+			$response->setContentSecurityPolicy($csp);
+		}
+
+		return $response;
 	}
 
 	/**
@@ -170,7 +180,16 @@ class ShareController extends AuthPublicShareController {
 		$event = new GenericEvent(null, $templateParameters);
 		$this->eventDispatcher->dispatch('OCA\Files_Sharing::loadAdditionalScripts::publicShareAuth', $event);
 
-		return new TemplateResponse('core', 'publicshareauth', $templateParameters, 'guest');
+		$response = new TemplateResponse('core', 'publicshareauth', $templateParameters, 'guest');
+		if ($this->share->getSendPasswordByTalk()) {
+			$csp = new ContentSecurityPolicy();
+			$csp->addAllowedConnectDomain('*');
+			$csp->addAllowedMediaDomain('blob:');
+			$csp->allowEvalScript(true);
+			$response->setContentSecurityPolicy($csp);
+		}
+
+		return $response;
 	}
 
 	protected function verifyPassword(string $password): bool {