Fixed content security policy HTTP header. Thanks for reporting to @n…

…ixahnung. [#641](#641)
znuny · Feb 13, 2025 · 0edc920 · 0edc920
1 parent ba2f39d
commit 0edc920
Show file tree

Hide file tree

Showing 4 changed files with 6 additions and 3 deletions.
diff --git a/CHANGES.md b/CHANGES.md
@@ -1,3 +1,6 @@
+# 6.5.13 2025-02-13
+ - 2025-02-13 Fixed content security policy HTTP header. Thanks for reporting to @nixahnung. [#641](https://github.com/znuny/Znuny/issues/641)
+
 # 6.5.12 2025-02-12
  - 2025-02-06 Added SortBy and SortOrder options to Znuny.Form.Input.Set to sort select field options by key or value.
  - 2025-02-05 Fixed event check in ticket event module Kernel::System::Ticket::Event::TicketDynamicFieldDefault.

diff --git a/Kernel/Output/HTML/Templates/Standard/HTTPHeaders.tt b/Kernel/Output/HTML/Templates/Standard/HTTPHeaders.tt
@@ -18,7 +18,7 @@ X-UA-Compatible: IE=edge,chrome=1
 X-Frame-Options: SAMEORIGIN
 [% END -%]
 [% IF !Config("DisableContentSecurityPolicy") -%]
-Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob;
+Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob:;
 [% END -%]
 X-Content-Type-Options: nosniff;
 Referrer-Policy: no-referrer;

diff --git a/scripts/apache2-httpd-plack-proxy.conf b/scripts/apache2-httpd-plack-proxy.conf
@@ -41,7 +41,7 @@ ProxyPassReverse /otrs/ http://localhost:5000/
 <IfModule mod_headers.c>
     <Directory "/opt/otrs/var/httpd/htdocs">
         Header set X-Frame-Options "SAMEORIGIN"
-        Header set Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob;"
+        Header set Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob:;"
         Header set X-Content-Type-Options "nosniff"
         Header set Referrer-Policy "no-referrer"
     </Directory>

diff --git a/scripts/apache2-httpd.include.conf b/scripts/apache2-httpd.include.conf
@@ -125,7 +125,7 @@ Alias /otrs-web/ "/opt/otrs/var/httpd/htdocs/"
 <IfModule mod_headers.c>
     <Directory "/opt/otrs/var/httpd/htdocs">
         Header set X-Frame-Options "SAMEORIGIN"
-        Header set Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob;"
+        Header set Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob:;"
         Header set X-Content-Type-Options "nosniff"
         Header set Referrer-Policy "no-referrer"
     </Directory>