From 0d9c37b0067d46669b7258bfff5dfc16d590e1d9 Mon Sep 17 00:00:00 2001
From: Lauri Ojansivu <x@xet7.org>
Date: Wed, 6 Apr 2022 17:26:39 +0300
Subject: [PATCH] Fix Can't add attachments because of Content-Security-Policy.

Thanks to Ben0it-T and xet7 !

Fixes #4461
---
 .meteor/packages | 1 +
 .meteor/versions | 1 +
 server/policy.js | 7 +++++++
 3 files changed, 9 insertions(+)

diff --git a/.meteor/packages b/.meteor/packages
index e7be1c582..26b3988df 100644
--- a/.meteor/packages
+++ b/.meteor/packages
@@ -149,3 +149,4 @@ pascoual:pdfkit
 wekan-accounts-lockout
 lmieulet:meteor-coverage
 meteortesting:mocha
+browser-policy-content
diff --git a/.meteor/versions b/.meteor/versions
index 8e372abdf..ba08e059e 100644
--- a/.meteor/versions
+++ b/.meteor/versions
@@ -19,6 +19,7 @@ blaze@2.5.0
 blaze-tools@1.1.2
 boilerplate-generator@1.7.1
 browser-policy-common@1.0.11
+browser-policy-content@1.1.1
 browser-policy-framing@1.1.0
 caching-compiler@1.2.2
 caching-html-compiler@1.2.0
diff --git a/server/policy.js b/server/policy.js
index a8c33a055..cdd4d3697 100644
--- a/server/policy.js
+++ b/server/policy.js
@@ -1,6 +1,13 @@
 import { BrowserPolicy } from 'meteor/browser-policy-common';
 
 Meteor.startup(() => {
+
+  // Default allowed
+  BrowserPolicy.content.allowInlineScripts();
+  BrowserPolicy.content.allowEval();
+  BrowserPolicy.content.allowInlineStyles();
+  BrowserPolicy.content.allowSameOriginForAll();
+
   if (process.env.BROWSER_POLICY_ENABLED === 'true') {
     // Trusted URL that can embed Wekan in iFrame.
     const trusted = process.env.TRUSTED_URL;