Update CSP header; change order to fix svg display in firefox

Apparently firefox doesn't like "style-src * 'unsafe-inline'", but wants "style-src 'unsafe-inline' *" otherwise it doesn't honor 'unsafe-inline'. In chromium both behave the same. Signed-off-by: Florian Pritz <bluewind@xinu.at>
author: Florian Pritz <bluewind@xinu.at> 2013-10-22 21:07:09 +0200
committer: Florian Pritz <bluewind@xinu.at> 2013-10-22 21:07:09 +0200
commit: 256f8112178fea29e31652a127917e9933535a74 (patch)
tree: 500295fb936579f3f6ca119b31e63a7ec2f2fc49
parent: ca9258d2106204750d688e8ab0b2ce916b214828 (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/application/controllers/file.php b/application/controllers/file.php
index 4d88ed465..8e2f35430 100644
--- a/application/controllers/file.php
+++ b/application/controllers/file.php
@@ -121,7 +121,7 @@ class File extends MY_Controller {
 			// prevent javascript from being executed and forbid frames
 			// this should allow us to serve user submitted HTML content without huge security risks
 			foreach (array("X-WebKit-CSP", "X-Content-Security-Policy", "Content-Security-Policy") as $header_name) {
-				header("$header_name: allow 'none'; img-src *; media-src *; font-src *; style-src * 'unsafe-inline'; script-src 'none'; object-src *; frame-src 'none'; ");
+				header("$header_name: default-src 'none'; img-src *; media-src *; font-src *; style-src 'unsafe-inline' *; script-src 'none'; object-src *; frame-src 'none'; ");
 			}
 			handle_etag($etag);
 			$this->ddownload->serveFile($file, $filedata["filename"], $filedata["mimetype"]);
author	Florian Pritz <bluewind@xinu.at>	2013-10-22 21:07:09 +0200
committer	Florian Pritz <bluewind@xinu.at>	2013-10-22 21:07:09 +0200
commit	256f8112178fea29e31652a127917e9933535a74 (patch)
tree	500295fb936579f3f6ca119b31e63a7ec2f2fc49
parent	ca9258d2106204750d688e8ab0b2ce916b214828 (diff)