Mozilla has an observatory.mozilla.org
site to test web sites for complaince with security requirements. The HTTP Content Security Policy header can be added to specify a policy. Modern web sites are expected to use solely safe methods and the policy should be as strict as possible. Governments and third parties often require adherence to best practice security standards.
Default owncloud setting:
default-src 'none';manifest-src 'self';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self'
There are two problematic settings:
script-src 'unsafe-eval'
style-src 'unsafe-inline'
These settings work, but they reduce the level of security because they would not block XSS attacks.
Is it possible to change the code to eliminate unsafe-* policies?
Documentation:
https://infosec.mozilla.org/guidelines/web_security#content-security-policy
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy