From 9bc958e8bee7e9dd087e038905392ed9cdac30ff Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20M=C3=BCller?= <1005065+DeepDiver1975@users.noreply.github.com> Date: Thu, 16 May 2024 18:20:18 +0200 Subject: [PATCH] fix: token refresh in single binary and wopi deployment example (#9167) --- changelog/unreleased/csp.md | 3 +++ deployments/examples/ocis_wopi/config/ocis/csp.yaml | 2 +- services/proxy/pkg/config/csp.yaml | 2 +- .../features/coreApiWebdavOperations/downloadFile.feature | 4 ++-- .../features/apiWebdavOperations/downloadFile.feature | 2 +- 5 files changed, 8 insertions(+), 5 deletions(-) diff --git a/changelog/unreleased/csp.md b/changelog/unreleased/csp.md index a25f8fe503..936e1a6bb4 100644 --- a/changelog/unreleased/csp.md +++ b/changelog/unreleased/csp.md @@ -3,3 +3,6 @@ Enhancement: Add CSP and other security related headers to oCIS General hardening of oCIS https://github.com/owncloud/ocis/pull/8777 +https://github.com/owncloud/ocis/pull/9025 +https://github.com/owncloud/ocis/pull/9167 + diff --git a/deployments/examples/ocis_wopi/config/ocis/csp.yaml b/deployments/examples/ocis_wopi/config/ocis/csp.yaml index f8cfb14eb4..9852ebeae9 100644 --- a/deployments/examples/ocis_wopi/config/ocis/csp.yaml +++ b/deployments/examples/ocis_wopi/config/ocis/csp.yaml @@ -8,7 +8,7 @@ directives: font-src: - '''self''' frame-ancestors: - - '''none''' + - '''self''' frame-src: - '''self''' - 'https://embed.diagrams.net/' diff --git a/services/proxy/pkg/config/csp.yaml b/services/proxy/pkg/config/csp.yaml index a006a2ff89..af398461d0 100644 --- a/services/proxy/pkg/config/csp.yaml +++ b/services/proxy/pkg/config/csp.yaml @@ -8,7 +8,7 @@ directives: font-src: - '''self''' frame-ancestors: - - '''none''' + - '''self''' frame-src: - '''self''' - 'https://embed.diagrams.net/' diff --git a/tests/acceptance/features/coreApiWebdavOperations/downloadFile.feature b/tests/acceptance/features/coreApiWebdavOperations/downloadFile.feature index 41216b1179..540dcd6977 100644 --- a/tests/acceptance/features/coreApiWebdavOperations/downloadFile.feature +++ b/tests/acceptance/features/coreApiWebdavOperations/downloadFile.feature @@ -271,7 +271,7 @@ Feature: download file And the following headers should be set | header | value | | Content-Disposition | attachment; filename*=UTF-8''""; filename="" | - | Content-Security-Policy | child-src 'self'; connect-src 'self'; default-src 'none'; font-src 'self'; frame-ancestors 'none'; frame-src 'self' https://embed.diagrams.net/; img-src 'self' data: blob:; manifest-src 'self'; media-src 'self'; object-src 'self' blob:; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline' | + | Content-Security-Policy | child-src 'self'; connect-src 'self'; default-src 'none'; font-src 'self'; frame-ancestors 'self'; frame-src 'self' https://embed.diagrams.net/; img-src 'self' data: blob:; manifest-src 'self'; media-src 'self'; object-src 'self' blob:; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline' | | X-Content-Type-Options | nosniff | | X-Download-Options | noopen | | X-Frame-Options | SAMEORIGIN | @@ -300,7 +300,7 @@ Feature: download file And the following headers should be set | header | value | | Content-Disposition | attachment; filename*=UTF-8''""quote"double".txt"; filename=""quote"double".txt" | - | Content-Security-Policy | child-src 'self'; connect-src 'self'; default-src 'none'; font-src 'self'; frame-ancestors 'none'; frame-src 'self' https://embed.diagrams.net/; img-src 'self' data: blob:; manifest-src 'self'; media-src 'self'; object-src 'self' blob:; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline' | + | Content-Security-Policy | child-src 'self'; connect-src 'self'; default-src 'none'; font-src 'self'; frame-ancestors 'self'; frame-src 'self' https://embed.diagrams.net/; img-src 'self' data: blob:; manifest-src 'self'; media-src 'self'; object-src 'self' blob:; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline' | | X-Content-Type-Options | nosniff | | X-Download-Options | noopen | | X-Frame-Options | SAMEORIGIN | diff --git a/tests/parallelDeployAcceptance/features/apiWebdavOperations/downloadFile.feature b/tests/parallelDeployAcceptance/features/apiWebdavOperations/downloadFile.feature index 52e2573b2f..08b3621f54 100644 --- a/tests/parallelDeployAcceptance/features/apiWebdavOperations/downloadFile.feature +++ b/tests/parallelDeployAcceptance/features/apiWebdavOperations/downloadFile.feature @@ -132,7 +132,7 @@ Feature: download file Then the following headers should be set | header | value | | Content-Disposition | attachment; filename*=UTF-8''textfile.txt; filename="textfile.txt" | - | Content-Security-Policy | child-src 'self'; connect-src 'self'; default-src 'none'; font-src 'self'; frame-ancestors 'none'; frame-src 'self' https://embed.diagrams.net/; img-src 'self' data: blob:; manifest-src 'self'; media-src 'self'; object-src 'self' blob:; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline' | + | Content-Security-Policy | child-src 'self'; connect-src 'self'; default-src 'none'; font-src 'self'; frame-ancestors 'self'; frame-src 'self' https://embed.diagrams.net/; img-src 'self' data: blob:; manifest-src 'self'; media-src 'self'; object-src 'self' blob:; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline' | | X-Content-Type-Options | nosniff | | X-Download-Options | noopen | | X-Frame-Options | SAMEORIGIN |