From be08b7f0fdc281f9d95ae576dcd2d87676505d8e Mon Sep 17 00:00:00 2001 From: andreimarcu Date: Wed, 21 Oct 2015 18:20:14 -0400 Subject: [PATCH] Remove "sandbox" from files CSP to have pdfs work in chrome --- README.md | 2 +- server.go | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index d98617e..45b94e2 100644 --- a/README.md +++ b/README.md @@ -38,7 +38,7 @@ Usage - ```-maxsize 4294967296``` -- maximum upload file size in bytes (default 4GB) - ```-allowhotlink``` -- Allow file hotlinking - ```-contentsecuritypolicy "..."``` -- Content-Security-Policy header for pages (default is "default-src 'self'; img-src 'self' data:; style-src 'self' 'unsafe-inline'; referrer origin;") -- ```-filecontentsecuritypolicy "..."``` -- Content-Security-Policy header for files (default is "default-src 'none'; img-src 'self'; object-src 'self'; media-src 'self'; sandbox; referrer origin;"") +- ```-filecontentsecuritypolicy "..."``` -- Content-Security-Policy header for files (default is "default-src 'none'; img-src 'self'; object-src 'self'; media-src 'self'; referrer origin;") - ```-xframeoptions "..." ``` -- X-Frame-Options header (default is "SAMEORIGIN") - ```-remoteuploads``` -- (optionally) enable remote uploads (/upload?url=https://...) - ```-nologs``` -- (optionally) disable request logs in stdout diff --git a/server.go b/server.go index 739aefb..aa145b0 100644 --- a/server.go +++ b/server.go @@ -190,7 +190,7 @@ func main() { "default-src 'self'; img-src 'self' data:; style-src 'self' 'unsafe-inline'; referrer origin;", "value of default Content-Security-Policy header") flag.StringVar(&Config.fileContentSecurityPolicy, "filecontentsecuritypolicy", - "default-src 'none'; img-src 'self'; object-src 'self'; media-src 'self'; sandbox; referrer origin;", + "default-src 'none'; img-src 'self'; object-src 'self'; media-src 'self'; referrer origin;", "value of Content-Security-Policy header for file access") flag.StringVar(&Config.xFrameOptions, "xframeoptions", "SAMEORIGIN", "value of X-Frame-Options header")