Skip to content

Content security policy on non-TemplateResponses #14179

@nickvergessen

Description

@nickvergessen

From my understanding only TemplateResponses should require a CSP to be set.
Any other responses could be delivered with none.

In this case we should also add an event for apps, to call \OC::$server->getContentSecurityPolicyManager()->addDefaultPolicy() instead of having apps like Talk always do this.

In case of Talk we load the config, need to check all turn/stun/signaling servers etc and add them to the CSP. This could all be saved if the CSP is useless anyway.

cc @rullzer

Metadata

Metadata

Assignees

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions