Index: /branches/rel_ag_9_4_5/fileshare/httpd.conf =================================================================== --- /branches/rel_ag_9_4_5/fileshare/httpd.conf (revision 20314) +++ /branches/rel_ag_9_4_5/fileshare/httpd.conf (working copy) @@ -28,12 +28,12 @@ setenv.add-response-header = ( "X-Frame-Options" => "SAMEORIGIN", - "Content-Security-Policy" => "frame-ancestors 'self'; default-src 'self' data: gap: wss: https://ssl.gstatic.com https://*.duosecurity.com https://open.work.weixin.qq.com 'unsafe-eval'; style-src 'self' 'unsafe-inline'; media-src *;script-src 'self' 'unsafe-inline' 'unsafe-eval' https://*.duosecurity.com", + "Content-Security-Policy" => "frame-ancestors 'self'; default-src 'self' data: gap: wss: https://ssl.gstatic.com https://*.duosecurity.com https://open.work.weixin.qq.com 'unsafe-eval'; style-src 'self' 'unsafe-inline'; media-src *;script-src 'self' 'unsafe-inline' 'unsafe-eval' https://*.duosecurity.com;object-src 'self'", "X-Content-Type-Options" => "nosniff", "X-XSS-Protection" => "1; mode=block", "Strict-Transport-Security" => "max-age=31536000; includeSubDomains", "X-Contents-Security-Policy" => "allow self", - "X-WebKit-CSP" => "default-src 'self' data: gap: wss: https://ssl.gstatic.com https://*.duosecurity.com https://open.work.weixin.qq.com 'unsafe-eval'; style-src 'self' 'unsafe-inline'; media-src *;script-src 'self' 'unsafe-inline' 'unsafe-eval' https://*.duosecurity.com", + "X-WebKit-CSP" => "default-src 'self' data: gap: wss: https://ssl.gstatic.com https://*.duosecurity.com https://open.work.weixin.qq.com 'unsafe-eval'; style-src 'self' 'unsafe-inline'; media-src *;script-src 'self' 'unsafe-inline' 'unsafe-eval' https://*.duosecurity.com;object-src 'self'", "Referrer-Policy" => "strict-origin-when-cross-origin", "X-Permitted-Cross-Domain-Policies" => "none", "X-Download-Options" => "noopen", Index: /branches/rel_ag_9_4_5/uproxy/http_proxy/http_proxy.h =================================================================== --- /branches/rel_ag_9_4_5/uproxy/http_proxy/http_proxy.h (revision 20314) +++ /branches/rel_ag_9_4_5/uproxy/http_proxy/http_proxy.h (working copy) @@ -500,7 +500,7 @@ #define X_CONTENT_SECURITY_POLICY_STR "X-Content-Security-Policy: allow self" #define X_CONTENT_SECURITY_POLICY_STR_LEN (sizeof(X_CONTENT_SECURITY_POLICY_STR)-1) -#define X_WEBKIT_CSP_STR "X-WebKit-CSP: script-src 'self' 'unsafe-inline' 'unsafe-eval'" +#define X_WEBKIT_CSP_STR "X-WebKit-CSP: script-src 'self' 'unsafe-inline' 'unsafe-eval'; object-src 'self'" #define X_WEBKIT_CSP_STR_LEN (sizeof(X_WEBKIT_CSP_STR)-1) #define REFERRER_POLICY_STR "Referrer-Policy: strict-origin-when-cross-origin" Index: /branches/rel_ag_9_4_5/uproxy/http_proxy/smanager/sec_misc.c =================================================================== --- /branches/rel_ag_9_4_5/uproxy/http_proxy/smanager/sec_misc.c (revision 20314) +++ /branches/rel_ag_9_4_5/uproxy/http_proxy/smanager/sec_misc.c (working copy) @@ -478,7 +478,7 @@ char x_download_options_str[X_DOWNLOAD_OPTIONS_STR_LEN+1] = {'\0'}; /* X-Download-Options header */ snprintf(content_security_str, CONT_SEC_MAX_LEN, - "%sframe-ancestors 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'", CONT_SEC_PREFIX_STR); + "%sframe-ancestors 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; object-src 'self'", CONT_SEC_PREFIX_STR); snprintf(x_content_type_options_str, X_CONT_TYPE_OPT_LEN+1, X_CONT_TYPE_OPT_STR); snprintf(x_xss_protection_str, X_XSS_PROT_LEN+1, X_XSS_PROT_STR); snprintf(x_strict_transport_security_str, X_STRICT_TRANSPORT_SECURITY_LEN+1, X_STRICT_TRANSPORT_SECURITY_STR); @@ -9925,12 +9925,12 @@ #define REDIRECT_RSP_REFRESH2 "; url=" #define REDIRECT_RSP_CONTENT_LEN "Content-Length: " #define REDIRECT_RSP_CACHE_CTL "Cache-Control: no-store, no-cache, must-revalidate\r\nX-Frame-Options: DENY\r\n" -#define REDIRECT_RSP_CONT_SEC "Content-Security-Policy: frame-ancestors 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'\r\n" +#define REDIRECT_RSP_CONT_SEC "Content-Security-Policy: frame-ancestors 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; object-src 'self'\r\n" #define REDIRECT_RSP_X_CONT_TYPE_OPT "X-Content-Type-Options: nosniff\r\n" #define REDIRECT_RSP_X_XSS_PROT "X-XSS-Protection: 1; mode=block\r\n" #define REDIRECT_RSP_STRICT_TRANSPORT_SECURITY "Strict-Transport-Security: max-age=31536000; includeSubDomains\r\n" #define REDIRECT_RSP_X_CONTENT_SECURITY_POLICY "X-Content-Security-Policy: allow self\r\n" -#define REDIRECT_RSP_X_WEBKIT_CSP "X-WebKit-CSP: script-src 'self' 'unsafe-inline' 'unsafe-eval'\r\n" +#define REDIRECT_RSP_X_WEBKIT_CSP "X-WebKit-CSP: script-src 'self' 'unsafe-inline' 'unsafe-eval'; object-src 'self'\r\n" #define REDIRECT_RSP_REFERRER_POLICY "Referrer-Policy: strict-origin-when-cross-origin\r\n" #define REDIRECT_RSP_X_PERMITTED_CROSS_DOMAIN_POLICIES "X-Permitted-Cross-Domain-Policies: none\r\n" #define REDIRECT_RSP_X_DOWNLOAD_OPTIONS "X-Download-Options: noopen\r\n"