Merge pull request #14773 from owncloud/allow-iframes-from-self-in-share-view

Allow iframes from same domain in share view

Author: LukasReschke

apps/files_sharing/lib/controllers/sharecontroller.php

@@ -203,7 +203,12 @@ public function showShare($token, $path = '') {
 		$shareTmpl['downloadURL'] = $this->urlGenerator->linkToRouteAbsolute('files_sharing.sharecontroller.downloadShare', array('token' => $token));
 		$shareTmpl['maxSizeAnimateGif'] = $this->config->getSystemValue('max_filesize_animated_gifs_public_sharing', 10);
 
-		return new TemplateResponse($this->appName, 'public', $shareTmpl, 'base');
+		$csp = new OCP\AppFramework\Http\ContentSecurityPolicy();
+		$csp->addAllowedFrameDomain('\'self\'');
+		$response = new TemplateResponse($this->appName, 'public', $shareTmpl, 'base');
+		$response->setContentSecurityPolicy($csp);
+
+		return $response;
 	}
 
 	/**

apps/files_sharing/tests/controller/sharecontroller.php

@@ -159,7 +159,12 @@ public function testShowShare() {
 			'nonHumanFileSize' => 33,
 			'maxSizeAnimateGif' => 10,
 		);
+
+		$csp = new \OCP\AppFramework\Http\ContentSecurityPolicy();
+		$csp->addAllowedFrameDomain('\'self\'');
 		$expectedResponse = new TemplateResponse($this->container['AppName'], 'public', $sharedTmplParams, 'base');
+		$expectedResponse->setContentSecurityPolicy($csp);
+
 		$this->assertEquals($expectedResponse, $response);
 	}