From 0e80d3664660c7a7e1adb5c345082bc3307bdaba Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Julius=20H=C3=A4rtl?= <jus@bitgrid.net>
Date: Fri, 23 Feb 2024 10:47:21 +0100
Subject: [PATCH] fix: Set allowed script domain instead of inline script
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Julius Härtl <jus@bitgrid.net>
---
 lib/Controller/DocumentController.php | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/lib/Controller/DocumentController.php b/lib/Controller/DocumentController.php
index 8286fe45..4e534f08 100644
--- a/lib/Controller/DocumentController.php
+++ b/lib/Controller/DocumentController.php
@@ -264,6 +264,7 @@ public function index($fileId, $path = null) {
 			$response = new TemplateResponse('officeonline', 'documents', $params, 'base');
 			$policy = new ContentSecurityPolicy();
 			$policy->addAllowedFrameDomain($this->domainOnly($this->appConfig->getAppValue('public_wopi_url')));
+			$policy->addAllowedScriptDomain($this->domainOnly($this->appConfig->getAppValue('public_wopi_url')));
 			$response->setContentSecurityPolicy($policy);
 			$response->addHeader('Cache-Control', 'no-cache, no-store');
 			$response->addHeader('Expires', '-1');
@@ -329,7 +330,7 @@ public function createFromTemplate($templateId, $fileName, $dir) {
 		$response = new TemplateResponse('officeonline', 'documents', $params, 'base');
 		$policy = new ContentSecurityPolicy();
 		$policy->addAllowedFrameDomain($this->domainOnly($this->appConfig->getAppValue('public_wopi_url')));
-		$policy->allowInlineScript(true);
+		$policy->addAllowedScriptDomain($this->domainOnly($this->appConfig->getAppValue('public_wopi_url')));
 		$response->setContentSecurityPolicy($policy);
 		return $response;
 	}
@@ -381,7 +382,7 @@ public function publicPage($shareToken, $fileName, $fileId) {
 				$response = new TemplateResponse('officeonline', 'documents', $params, 'base');
 				$policy = new ContentSecurityPolicy();
 				$policy->addAllowedFrameDomain($this->domainOnly($this->appConfig->getAppValue('public_wopi_url')));
-				$policy->allowInlineScript(true);
+				$policy->addAllowedScriptDomain($this->domainOnly($this->appConfig->getAppValue('public_wopi_url')));
 				$response->setContentSecurityPolicy($policy);
 				return $response;
 			}
@@ -445,7 +446,7 @@ public function remote($shareToken, $remoteServer, $remoteServerToken, $filePath
 				$response = new TemplateResponse('officeonline', 'documents', $params, 'base');
 				$policy = new ContentSecurityPolicy();
 				$policy->addAllowedFrameDomain($this->domainOnly($this->appConfig->getAppValue('wopi_url')));
-				$policy->allowInlineScript(true);
+				$policy->addAllowedScriptDomain($this->domainOnly($this->appConfig->getAppValue('public_wopi_url')));
 				$policy->addAllowedFrameAncestorDomain('https://*');
 				$response->setContentSecurityPolicy($policy);
 				$response->addHeader('X-Frame-Options', 'ALLOW');