diff --git a/lib/Controller/PageController.php b/lib/Controller/PageController.php index 5f1233351f3..e0009a94d60 100644 --- a/lib/Controller/PageController.php +++ b/lib/Controller/PageController.php @@ -262,7 +262,7 @@ protected function pageHandler( ]); $csp = new ContentSecurityPolicy(); - $csp->addAllowedConnectDomain('*'); + $csp->addAllowedImageDomain('https://*.tile.openstreetmap.org'); $csp->addAllowedMediaDomain('blob:'); $csp->addAllowedWorkerSrcDomain('blob:'); $csp->addAllowedWorkerSrcDomain("'self'"); @@ -273,7 +273,10 @@ protected function pageHandler( $csp->addAllowedScriptDomain("'wasm-unsafe-eval'"); $csp->addAllowedConnectDomain('blob:'); $csp->addAllowedConnectDomain("'self'"); - $csp->addAllowedImageDomain('https://*.tile.openstreetmap.org'); + foreach ($this->talkConfig->getAllServerUrlsForCSP() as $server) { + $csp->addAllowedConnectDomain($server); + } + $response->setContentSecurityPolicy($csp); if ($throttle) { // Logged-in user tried to access a chat they can not access @@ -325,7 +328,7 @@ public function recording(string $token): Response { $response->setFooterVisible(false); $csp = new ContentSecurityPolicy(); - $csp->addAllowedConnectDomain('*'); + $csp->addAllowedImageDomain('https://*.tile.openstreetmap.org'); $csp->addAllowedMediaDomain('blob:'); $csp->addAllowedWorkerSrcDomain('blob:'); $csp->addAllowedWorkerSrcDomain("'self'"); @@ -336,7 +339,9 @@ public function recording(string $token): Response { $csp->addAllowedScriptDomain("'wasm-unsafe-eval'"); $csp->addAllowedConnectDomain('blob:'); $csp->addAllowedConnectDomain("'self'"); - $csp->addAllowedImageDomain('https://*.tile.openstreetmap.org'); + foreach ($this->talkConfig->getAllServerUrlsForCSP() as $server) { + $csp->addAllowedConnectDomain($server); + } $response->setContentSecurityPolicy($csp); return $response; @@ -412,7 +417,7 @@ protected function guestEnterRoom( $response->setFooterVisible(false); $csp = new ContentSecurityPolicy(); - $csp->addAllowedConnectDomain('*'); + $csp->addAllowedImageDomain('https://*.tile.openstreetmap.org'); $csp->addAllowedMediaDomain('blob:'); $csp->addAllowedWorkerSrcDomain('blob:'); $csp->addAllowedWorkerSrcDomain("'self'"); @@ -423,7 +428,9 @@ protected function guestEnterRoom( $csp->addAllowedScriptDomain("'wasm-unsafe-eval'"); $csp->addAllowedConnectDomain('blob:'); $csp->addAllowedConnectDomain("'self'"); - $csp->addAllowedImageDomain('https://*.tile.openstreetmap.org'); + foreach ($this->talkConfig->getAllServerUrlsForCSP() as $server) { + $csp->addAllowedConnectDomain($server); + } $response->setContentSecurityPolicy($csp); return $response; } @@ -470,7 +477,7 @@ protected function invitedEmail( $response->setFooterVisible(false); $csp = new ContentSecurityPolicy(); - $csp->addAllowedConnectDomain('*'); + $csp->addAllowedImageDomain('https://*.tile.openstreetmap.org'); $csp->addAllowedMediaDomain('blob:'); $csp->addAllowedWorkerSrcDomain('blob:'); $csp->addAllowedWorkerSrcDomain("'self'"); @@ -481,7 +488,9 @@ protected function invitedEmail( $csp->addAllowedScriptDomain("'wasm-unsafe-eval'"); $csp->addAllowedConnectDomain('blob:'); $csp->addAllowedConnectDomain("'self'"); - $csp->addAllowedImageDomain('https://*.tile.openstreetmap.org'); + foreach ($this->talkConfig->getAllServerUrlsForCSP() as $server) { + $csp->addAllowedConnectDomain($server); + } $response->setContentSecurityPolicy($csp); return $response; } diff --git a/lib/Listener/CSPListener.php b/lib/Listener/CSPListener.php index 5d7b291755c..e13487c7b2f 100644 --- a/lib/Listener/CSPListener.php +++ b/lib/Listener/CSPListener.php @@ -39,6 +39,7 @@ public function handle(Event $event): void { $csp->addAllowedChildSrcDomain("'self'"); $csp->addAllowedScriptDomain('blob:'); $csp->addAllowedScriptDomain("'self'"); + $csp->addAllowedScriptDomain("'wasm-unsafe-eval'"); $csp->addAllowedConnectDomain('blob:'); $csp->addAllowedConnectDomain("'self'"); foreach ($this->config->getAllServerUrlsForCSP() as $server) {