mirror of
https://github.com/EGroupware/egroupware.git
synced 2024-12-27 00:58:55 +01:00
allow images and media in mail via http: and https:, but remove object tags (already forbiden via CSP)
This commit is contained in:
parent
cdab5914c2
commit
b65b21fe9c
@ -141,7 +141,7 @@ class Mail
|
||||
// tidy eats away even some wanted whitespace, so we switch it off;
|
||||
// we used it for its compacting and beautifying capabilities, which resulted in better html for further processing
|
||||
'tidy'=>0,
|
||||
'elements' => "* -script -meta",
|
||||
'elements' => "* -script -meta -object",
|
||||
'deny_attribute' => 'on*',
|
||||
'schemes'=>'href: file, ftp, http, https, mailto, phone, tel; src: cid, data, file, ftp, http, https; *:file, http, https, cid, src',
|
||||
'hook_tag' =>"hl_email_tag_transform",
|
||||
|
@ -3269,11 +3269,13 @@ $filter['before']= date("d-M-Y", $cutoffdate2);
|
||||
Api\Session::cache_control(true);
|
||||
|
||||
// more strict CSP for displaying mail
|
||||
foreach(['frame-src', 'connect-src', 'manifest-src', 'media-src'] as $src)
|
||||
foreach(['frame-src', 'connect-src', 'manifest-src'] as $src)
|
||||
{
|
||||
Api\Header\ContentSecurityPolicy::add($src, 'none');
|
||||
}
|
||||
Api\Header\ContentSecurityPolicy::add('script-src', 'self', true); // true = remove default 'unsafe-eval'
|
||||
Api\Header\ContentSecurityPolicy::add('img-src', 'http:');
|
||||
Api\Header\ContentSecurityPolicy::add('media-src', ['https:','http:']);
|
||||
}
|
||||
// Compose the content of the frame
|
||||
$frameHtml =
|
||||
|
Loading…
Reference in New Issue
Block a user