Fix #3945: Default object-src policy prevents loading pdf on safari

protected/humhub/config/web.php

@@ -49,7 +49,7 @@ $config = [
                     "Referrer-Policy" => "no-referrer-when-downgrade",
                     "X-Permitted-Cross-Domain-Policies" => "master-only",
                     "X-Frame-Options" => "sameorigin",
-                    "Content-Security-Policy" => "default-src *; connect-src  *; font-src 'self'; frame-src https://* http://* *; img-src https://* http://* * data:; object-src 'none'; script-src 'self' https://* http://* * 'unsafe-inline' 'report-sample'; style-src * https://* http://* * 'unsafe-inline';"
+                    "Content-Security-Policy" => "default-src *; connect-src  *; font-src 'self'; frame-src https://* http://* *; img-src https://* http://* * data:; object-src 'self'; script-src 'self' https://* http://* * 'unsafe-inline' 'report-sample'; style-src * https://* http://* * 'unsafe-inline';"
                 ]
             ]
         ]

protected/humhub/docs/CHANGELOG.md

@@ -1,6 +1,10 @@
 HumHub Change Log
 =================
 
+1.4.5 (Unreleased)
+----------------------
+- Fix #3945: Default object-src policy prevents loading pdf on safari
+
 1.4.4 (March 24, 2020)
 ----------------------
 - Fix #3908: `DateHelper::parseDateTime()` returns invalid date if given value is not parsable

protected/humhub/tests/config/common.php

@@ -57,6 +57,7 @@ return [
                         "unsafe-inline" => true
                     ],
                     "object-src" => [
+                        'self' => true
                     ],
                     "frame-src" => [
                         "allow" => [