From 28fa8e0fbd9f217ab5aedbe3acdd4eeecd4f5654 Mon Sep 17 00:00:00 2001 From: Gerben Date: Thu, 4 Oct 2018 14:39:27 +0200 Subject: [PATCH] Clarify ugly hack comment --- lib/Controller/RawResponse.php | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/lib/Controller/RawResponse.php b/lib/Controller/RawResponse.php index e7b10e7..99ebdfa 100644 --- a/lib/Controller/RawResponse.php +++ b/lib/Controller/RawResponse.php @@ -13,8 +13,9 @@ trait RawResponse { $content = $fileNode->getContent(); $mimetype = $fileNode->getMimeType(); - // Ugly hack to prevent security middleware messing up the CSP. - header( + // Ugly hack to have exact control over the response, to e.g. prevent security middleware + // messing up the CSP. TODO find a neater solution than bluntly doing header() + echo + exit. + header( // Add a super strict CSP: no connectivity allowed. "Content-Security-Policy: sandbox; default-src 'none'; img-src data:; media-src data:; " . "style-src data: 'unsafe-inline'; font-src data:; frame-src data:" );