Merge pull request #11974 from nextcloud/bugfix/noid/lax-csp-on-talk-shares

Use lax CSP when the share is a talk share

apps/files_sharing/lib/Controller/ShareController.php

@@ -35,6 +35,7 @@
 
 namespace OCA\Files_Sharing\Controller;
 
+use OC\Security\CSP\ContentSecurityPolicy;
 use OC_Files;
 use OC_Util;
 use OCA\FederatedFileSharing\FederatedShareProvider;
@@ -158,7 +159,16 @@ class ShareController extends AuthPublicShareController {
 		$event = new GenericEvent(null, $templateParameters);
 		$this->eventDispatcher->dispatch('OCA\Files_Sharing::loadAdditionalScripts::publicShareAuth', $event);
 
-		return new TemplateResponse('core', 'publicshareauth', $templateParameters, 'guest');
+		$response = new TemplateResponse('core', 'publicshareauth', $templateParameters, 'guest');
+		if ($this->share->getSendPasswordByTalk()) {
+			$csp = new ContentSecurityPolicy();
+			$csp->addAllowedConnectDomain('*');
+			$csp->addAllowedMediaDomain('blob:');
+			$csp->allowEvalScript(true);
+			$response->setContentSecurityPolicy($csp);
+		}
+
+		return $response;
 	}
 
 	/**
@@ -170,7 +180,16 @@ class ShareController extends AuthPublicShareController {
 		$event = new GenericEvent(null, $templateParameters);
 		$this->eventDispatcher->dispatch('OCA\Files_Sharing::loadAdditionalScripts::publicShareAuth', $event);
 
-		return new TemplateResponse('core', 'publicshareauth', $templateParameters, 'guest');
+		$response = new TemplateResponse('core', 'publicshareauth', $templateParameters, 'guest');
+		if ($this->share->getSendPasswordByTalk()) {
+			$csp = new ContentSecurityPolicy();
+			$csp->addAllowedConnectDomain('*');
+			$csp->addAllowedMediaDomain('blob:');
+			$csp->allowEvalScript(true);
+			$response->setContentSecurityPolicy($csp);
+		}
+
+		return $response;
 	}
 
 	protected function verifyPassword(string $password): bool {