From b61f0f66b1dc7fb7d6c120359d301f52d1fa77a9 Mon Sep 17 00:00:00 2001 From: Benedikt Kulmann Date: Wed, 19 Nov 2025 08:52:54 +0100 Subject: [PATCH 1/2] fix: add update server to default csp rules --- services/proxy/pkg/config/csp.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/services/proxy/pkg/config/csp.yaml b/services/proxy/pkg/config/csp.yaml index 8c06b67523..b0f5e7b453 100644 --- a/services/proxy/pkg/config/csp.yaml +++ b/services/proxy/pkg/config/csp.yaml @@ -5,6 +5,7 @@ directives: - '''self''' - 'blob:' - 'https://raw.githubusercontent.com/opencloud-eu/awesome-apps/' + - 'https://update.opencloud.eu/' default-src: - '''none''' font-src: From 25d55bab5071007d317762b92c8b9c3da6a340d3 Mon Sep 17 00:00:00 2001 From: Viktor Scharf Date: Fri, 21 Nov 2025 16:44:33 +0100 Subject: [PATCH 2/2] adapt tests --- .../features/coreApiWebdavOperations/downloadFile.feature | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/acceptance/features/coreApiWebdavOperations/downloadFile.feature b/tests/acceptance/features/coreApiWebdavOperations/downloadFile.feature index 869d8af7ca..06fbae9ca2 100644 --- a/tests/acceptance/features/coreApiWebdavOperations/downloadFile.feature +++ b/tests/acceptance/features/coreApiWebdavOperations/downloadFile.feature @@ -219,7 +219,7 @@ Feature: download file And the following headers should be set | header | value | | Content-Disposition | attachment; filename*=UTF-8''; filename="" | - | Content-Security-Policy | child-src 'self'; connect-src 'self' blob: https://raw.githubusercontent.com/opencloud-eu/awesome-apps/; default-src 'none'; font-src 'self'; frame-ancestors 'self'; frame-src 'self' blob: https://embed.diagrams.net/; img-src 'self' data: blob: https://raw.githubusercontent.com/opencloud-eu/awesome-apps/; manifest-src 'self'; media-src 'self'; object-src 'self' blob:; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline' | + | Content-Security-Policy | child-src 'self'; connect-src 'self' blob: https://raw.githubusercontent.com/opencloud-eu/awesome-apps/ https://update.opencloud.eu/; default-src 'none'; font-src 'self'; frame-ancestors 'self'; frame-src 'self' blob: https://embed.diagrams.net/; img-src 'self' data: blob: https://raw.githubusercontent.com/opencloud-eu/awesome-apps/; manifest-src 'self'; media-src 'self'; object-src 'self' blob:; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline' | | X-Content-Type-Options | nosniff | | X-Frame-Options | SAMEORIGIN | | X-Permitted-Cross-Domain-Policies | none | @@ -247,7 +247,7 @@ Feature: download file And the following headers should be set | header | value | | Content-Disposition | attachment; filename*=UTF-8''%22quote%22double%22.txt; filename=""quote"double".txt" | - | Content-Security-Policy | child-src 'self'; connect-src 'self' blob: https://raw.githubusercontent.com/opencloud-eu/awesome-apps/; default-src 'none'; font-src 'self'; frame-ancestors 'self'; frame-src 'self' blob: https://embed.diagrams.net/; img-src 'self' data: blob: https://raw.githubusercontent.com/opencloud-eu/awesome-apps/; manifest-src 'self'; media-src 'self'; object-src 'self' blob:; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline' | + | Content-Security-Policy | child-src 'self'; connect-src 'self' blob: https://raw.githubusercontent.com/opencloud-eu/awesome-apps/ https://update.opencloud.eu/; default-src 'none'; font-src 'self'; frame-ancestors 'self'; frame-src 'self' blob: https://embed.diagrams.net/; img-src 'self' data: blob: https://raw.githubusercontent.com/opencloud-eu/awesome-apps/; manifest-src 'self'; media-src 'self'; object-src 'self' blob:; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline' | | X-Content-Type-Options | nosniff | | X-Frame-Options | SAMEORIGIN | | X-Permitted-Cross-Domain-Policies | none |