diff --git a/protected/humhub/config/web.php b/protected/humhub/config/web.php index c809d029e3..d2f1912c9e 100644 --- a/protected/humhub/config/web.php +++ b/protected/humhub/config/web.php @@ -49,7 +49,7 @@ $config = [ "Referrer-Policy" => "no-referrer-when-downgrade", "X-Permitted-Cross-Domain-Policies" => "master-only", "X-Frame-Options" => "sameorigin", - "Content-Security-Policy" => "default-src *; connect-src *; font-src 'self'; frame-src https://* http://* *; img-src https://* http://* * data:; object-src 'none'; script-src 'self' https://* http://* * 'unsafe-inline' 'report-sample'; style-src * https://* http://* * 'unsafe-inline';" + "Content-Security-Policy" => "default-src *; connect-src *; font-src 'self'; frame-src https://* http://* *; img-src https://* http://* * data:; object-src 'self'; script-src 'self' https://* http://* * 'unsafe-inline' 'report-sample'; style-src * https://* http://* * 'unsafe-inline';" ] ] ] diff --git a/protected/humhub/docs/CHANGELOG.md b/protected/humhub/docs/CHANGELOG.md index afcc88b639..fd08d8fe8d 100644 --- a/protected/humhub/docs/CHANGELOG.md +++ b/protected/humhub/docs/CHANGELOG.md @@ -1,6 +1,10 @@ HumHub Change Log ================= +1.4.5 (Unreleased) +---------------------- +- Fix #3945: Default object-src policy prevents loading pdf on safari + 1.4.4 (March 24, 2020) ---------------------- - Fix #3908: `DateHelper::parseDateTime()` returns invalid date if given value is not parsable diff --git a/protected/humhub/tests/config/common.php b/protected/humhub/tests/config/common.php index cb4d56005a..ce461f7204 100644 --- a/protected/humhub/tests/config/common.php +++ b/protected/humhub/tests/config/common.php @@ -57,6 +57,7 @@ return [ "unsafe-inline" => true ], "object-src" => [ + 'self' => true ], "frame-src" => [ "allow" => [