Security: Content Security Policy allows unsafe-eval#282
Conversation
In lib/Controller/DisplayController.php, the ContentSecurityPolicy allows 'unsafe-eval' script domain. This severely weakens CSP protection and allows inline JavaScript execution, making the application vulnerable to XSS attacks. Signed-off-by: tomaioo <203048277+tomaioo@users.noreply.github.com>
|
for ref: #265 |
|
Hello there, We hope that the review process is going smooth and is helpful for you. We want to ensure your pull request is reviewed to your satisfaction. If you have a moment, our community management team would very much appreciate your feedback on your experience with this PR review process. Your feedback is valuable to us as we continuously strive to improve our community developer experience. Please take a moment to complete our short survey by clicking on the following link: https://cloud.nextcloud.com/apps/forms/s/i9Ago4EQRZ7TWxjfmeEpPkf6 Thank you for contributing to Nextcloud and we hope to hear from you soon! (If you believe you should not receive this message, you can add yourself to the blocklist.) |
Summary
Security: Content Security Policy allows unsafe-eval
Problem
Severity:
Critical| File:lib/Controller/DisplayController.php:L54In lib/Controller/DisplayController.php, the ContentSecurityPolicy allows 'unsafe-eval' script domain. This severely weakens CSP protection and allows inline JavaScript execution, making the application vulnerable to XSS attacks.
Solution
Remove the line '$policy->addAllowedScriptDomain(''unsafe-eval'');' or replace with specific allowed script sources. If inline scripts are needed, use nonces instead.
Changes
lib/Controller/DisplayController.php(modified)