Aurora Files documentation

Content-Security-Policy

Starting from v8.5.1, Aurora Files supports sending Content-Security-Policy header which helps preventing from cross-site scripting, clickjacking, code injection attacks. CSP instruct browser to load content from only allowed source.

Starting from 8.5.3

By default, the feature is enabled and CSP header is set to a secure value configured in data/settings/modules/CoreWebclient.config file:

"ContentSecurityPolicy": [
    "default-src 'self' 'unsafe-inline' 'unsafe-eval' blob:; img-src * data: blob:; frame-src *; font-src 'self' data:",
    "string"
],

As you can see, it's a complex value which is a combination of the following values:

  • default-src 'self';
    Required. Base setting, permits loading content (images, JS files etc.) from the same domain.
  • default-src 'unsafe-eval';
    Required due to use of KnockoutJS framework.
  • default-src 'unsafe-inline';
    Required. Used for injecting JS with variables into HTML.
  • img-src *;
    Allows displaying images in messages.
  • img-src data:;
    Used for images in signature and messages, image in IOS module, <link rel="shortcut icon">.
  • default-src blob:; img-src blob:;
    Used in encrypted files.
  • frame-src *;
    Used for shortcuts in Files.
  • font-src 'self' data:;
    OpenPgpFilesWebclient video-JS vendor (public link for file)

So for instance, if you don't require use of encrypted files or file shortcuts, you can remove respective values from the combined CSP header value.


To disable sending this header, set the value to empty string.

Prior to 8.5.3

By default, the feature is enabled and CSP header is set to a secure value configured in data/settings/config.json file:

"ContentSecurityPolicy": [
    "default-src 'self' 'unsafe-inline' 'unsafe-eval' blob:; img-src * data:; frame-src *",
    "string"
],


To disable sending this header, set the value to empty string.

NB: If you're upgrading from a previous version, you may need to add the above value to data/settings/config.json file manually.