Skip to content

Commit

Permalink
CSP 'unsafe-eval' required for Knockout.js, see issue #103
Browse files Browse the repository at this point in the history
  • Loading branch information
djmaze committed Jul 28, 2021
1 parent a3d2b56 commit e0106a6
Showing 1 changed file with 3 additions and 1 deletion.
4 changes: 3 additions & 1 deletion snappymail/v/0.0.0/app/libraries/RainLoop/Service.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -207,7 +207,9 @@ private function setCSP(string $sScriptNonce = null) : void
if ($sScriptNonce) {
$sContentSecurityPolicy = \preg_replace("/(script-src[^;]+)'unsafe-inline'/", "\$1'nonce-{$sScriptNonce}'", $sContentSecurityPolicy);
}
$sContentSecurityPolicy = \preg_replace("/(script-src[^;]+)'unsafe-inline'/", '', $sContentSecurityPolicy);
$sContentSecurityPolicy = \preg_replace("/(script-src[^;]+)'unsafe-inline'/", '$1', $sContentSecurityPolicy);
// Knockout.js requires eval() for observable binding purposes
//$sContentSecurityPolicy = \preg_replace("/(script-src[^;]+)'unsafe-eval'/", '$1', $sContentSecurityPolicy);
}
\header('Content-Security-Policy: '.$sContentSecurityPolicy, true);
}
Expand Down

0 comments on commit e0106a6

Please sign in to comment.