From 3e2931068e31852c7a2c9f47b6d3774320d2b2bf Mon Sep 17 00:00:00 2001
From: Uwe Steinmann <steinm@debian.org>
Date: Wed, 28 Mar 2018 17:06:10 +0200
Subject: [PATCH] allow CSP worker-src blob:

---
 views/bootstrap/class.Bootstrap.php | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/views/bootstrap/class.Bootstrap.php b/views/bootstrap/class.Bootstrap.php
index 444c0bcbc..f43c8ad5d 100644
--- a/views/bootstrap/class.Bootstrap.php
+++ b/views/bootstrap/class.Bootstrap.php
@@ -54,12 +54,13 @@ class SeedDMS_Bootstrap_Style extends SeedDMS_View_Common {
 			/* We still need unsafe-eval, because printDocumentChooserHtml and
 			 * printFolderChooserHtml will include a javascript file with ajax
 			 * which is evaled by jquery
+			 * worker-src blob: is needed for cytoscape
 			 * X-WebKit-CSP is deprecated, Chrome understands Content-Security-Policy
 			 * since version 25+
 			 * X-Content-Security-Policy is deprecated, Firefox understands
 			 * Content-Security-Policy since version 23+
 			 */
-			$csp_rules = "script-src 'self' 'unsafe-eval';"; // style-src 'self';";
+			$csp_rules = "script-src 'self' 'unsafe-eval'; worker-src blob:;"; // style-src 'self';";
 			foreach (array("X-WebKit-CSP", "X-Content-Security-Policy", "Content-Security-Policy") as $csp) {
 				header($csp . ": " . $csp_rules);
 			}