Merge pull request nextcloud#13420 from nextcloud/enh/13042/default-f…

…rame-anchestor-set Set default frame-ancestors to 'self'
small1 · Jan 9, 2019 · 1fd6741 · 1fd6741
2 parents b8bb1d4 + ad676c0
commit 1fd6741
Show file tree

Hide file tree

Showing 6 changed files with 65 additions and 63 deletions.
diff --git a/lib/public/AppFramework/Http/ContentSecurityPolicy.php b/lib/public/AppFramework/Http/ContentSecurityPolicy.php
@@ -86,7 +86,9 @@ class ContentSecurityPolicy extends EmptyContentSecurityPolicy {
 	protected $allowedChildSrcDomains = [];
 
 	/** @var array Domains which can embed this Nextcloud instance */
-	protected $allowedFrameAncestors = [];
+	protected $allowedFrameAncestors = [
+		'\'self\'',
+	];
 
 	/** @var array Domains from which web-workers can be loaded */
 	protected $allowedWorkerSrcDomains = [];

diff --git a/tests/lib/AppFramework/Controller/ControllerTest.php b/tests/lib/AppFramework/Controller/ControllerTest.php
@@ -116,7 +116,7 @@ public function testFormatDataResponseJSON() {
 			'test' => 'something',
 			'Cache-Control' => 'no-cache, no-store, must-revalidate',
 			'Content-Type' => 'application/json; charset=utf-8',
-			'Content-Security-Policy' => "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self'",
+			'Content-Security-Policy' => "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self'",
 		];
 
 		$response = $this->controller->customDataResponse(array('hi'));