Set empty CSP by default

author Roeland Jago Douma <roeland@famdouma.nl>

Wed, 3 Apr 2019 16:42:34 +0000 (18:42 +0200)

committer Roeland Jago Douma <roeland@famdouma.nl>

Tue, 16 Apr 2019 12:09:39 +0000 (14:09 +0200)
author Roeland Jago Douma <roeland@famdouma.nl>
Wed, 3 Apr 2019 16:42:34 +0000 (18:42 +0200)
committer Roeland Jago Douma <roeland@famdouma.nl>
Tue, 16 Apr 2019 12:09:39 +0000 (14:09 +0200)
diff --git a/lib/public/AppFramework/Http/DataDisplayResponse.php b/lib/public/AppFramework/Http/DataDisplayResponse.php

index 4932b9db6688e53f4f92023dbff2a5d76100247b..3ab64c470e5dd0d79cec1be0a2fa67cd4b864fd9 100644 (file)
--- a/lib/public/AppFramework/Http/DataDisplayResponse.php
+++ b/lib/public/AppFramework/Http/DataDisplayResponse.php
@@ -49,6 +49,8 @@ class DataDisplayResponse extends Response {
          */
         public function __construct($data='', $statusCode=Http::STATUS_OK,
                                     $headers=[]) {
+               parent::__construct();
+
                 $this->data = $data;
                 $this->setStatus($statusCode);
                 $this->setHeaders(array_merge($this->getHeaders(), $headers));
diff --git a/lib/public/AppFramework/Http/DataResponse.php b/lib/public/AppFramework/Http/DataResponse.php

index 17e68134438904aa54b45af7d78c10c1823a72c8..9c7a386f7cdc25881025e9ce52304777ac114b64 100644 (file)
--- a/lib/public/AppFramework/Http/DataResponse.php
+++ b/lib/public/AppFramework/Http/DataResponse.php
@@ -52,6 +52,8 @@ class DataResponse extends Response {
          */
         public function __construct($data=array(), $statusCode=Http::STATUS_OK,
                                     array $headers=array()) {
+               parent::__construct();
+
                 $this->data = $data;
                 $this->setStatus($statusCode);
                 $this->setHeaders(array_merge($this->getHeaders(), $headers));
diff --git a/lib/public/AppFramework/Http/DownloadResponse.php b/lib/public/AppFramework/Http/DownloadResponse.php

index 46f318d9b82771cb6587291804349961bad189b5..774a6287cb2a483304175609945c0de2fcc4c353 100644 (file)
--- a/lib/public/AppFramework/Http/DownloadResponse.php
+++ b/lib/public/AppFramework/Http/DownloadResponse.php
@@ -30,7 +30,7 @@ namespace OCP\AppFramework\Http;
   * Prompts the user to download the a file
   * @since 7.0.0
   */
-class DownloadResponse extends \OCP\AppFramework\Http\Response {
+class DownloadResponse extends Response {
  
         private $filename;
         private $contentType;
@@ -42,6 +42,8 @@ class DownloadResponse extends \OCP\AppFramework\Http\Response {
          * @since 7.0.0
          */
         public function __construct($filename, $contentType) {
+               parent::__construct();
+
                 $this->filename = $filename;
                 $this->contentType = $contentType;
  
diff --git a/lib/public/AppFramework/Http/FileDisplayResponse.php b/lib/public/AppFramework/Http/FileDisplayResponse.php

index ab23701f89370f92757434c7c8670ac1c1bc1255..2d2dd29e6a1b3f66c350ee5c9cf7415a2dfd6086 100644 (file)
--- a/lib/public/AppFramework/Http/FileDisplayResponse.php
+++ b/lib/public/AppFramework/Http/FileDisplayResponse.php
@@ -45,6 +45,8 @@ class FileDisplayResponse extends Response implements ICallbackResponse {
          */
         public function __construct($file, $statusCode=Http::STATUS_OK,
                                                                 $headers=[]) {
+               parent::__construct();
+
                 $this->file = $file;
                 $this->setStatus($statusCode);
                 $this->setHeaders(array_merge($this->getHeaders(), $headers));
diff --git a/lib/public/AppFramework/Http/JSONResponse.php b/lib/public/AppFramework/Http/JSONResponse.php

index 1b8b676e6013c066e57de2ef54560df84e0cf68c..b80434079bac84d5ac4378dfbf53d842137ff27d 100644 (file)
--- a/lib/public/AppFramework/Http/JSONResponse.php
+++ b/lib/public/AppFramework/Http/JSONResponse.php
@@ -53,6 +53,8 @@ class JSONResponse extends Response {
          * @since 6.0.0
          */
         public function __construct($data=array(), $statusCode=Http::STATUS_OK) {
+               parent::__construct();
+
                 $this->data = $data;
                 $this->setStatus($statusCode);
                 $this->addHeader('Content-Type', 'application/json; charset=utf-8');
diff --git a/lib/public/AppFramework/Http/NotFoundResponse.php b/lib/public/AppFramework/Http/NotFoundResponse.php

index 7f068a4c413013dd0b5e5fb787fe0249fa1cd73b..6d764ec526e7b56444439e002446c70fa548a846 100644 (file)
--- a/lib/public/AppFramework/Http/NotFoundResponse.php
+++ b/lib/public/AppFramework/Http/NotFoundResponse.php
@@ -35,6 +35,8 @@ class NotFoundResponse extends Response {
          * @since 8.1.0
          */
         public function __construct() {
+               parent::__construct();
+
                 $this->setStatus(404);
         }
  
diff --git a/lib/public/AppFramework/Http/OCSResponse.php b/lib/public/AppFramework/Http/OCSResponse.php

index 3480aa172ff0351e8b28257c015780b536f782f7..5f56913a45a8af68cab6dc1c77dc3e4a4e53cc6f 100644 (file)
--- a/lib/public/AppFramework/Http/OCSResponse.php
+++ b/lib/public/AppFramework/Http/OCSResponse.php
@@ -59,6 +59,8 @@ class OCSResponse extends Response {
         public function __construct($format, $statuscode, $message,
                                                                 $data=[], $itemscount='',
                                                                 $itemsperpage='') {
+               parent::__construct();
+
                 $this->format = $format;
                 $this->statuscode = $statuscode;
                 $this->message = $message;
diff --git a/lib/public/AppFramework/Http/RedirectResponse.php b/lib/public/AppFramework/Http/RedirectResponse.php

index 0ce3a64cb38fdaf1bb3d4f84a4dbdda9f7692d6e..dc44bbe999c9fd11917df43ccfcd70a76e0c34ae 100644 (file)
--- a/lib/public/AppFramework/Http/RedirectResponse.php
+++ b/lib/public/AppFramework/Http/RedirectResponse.php
@@ -43,6 +43,8 @@ class RedirectResponse extends Response {
          * @since 7.0.0
          */
         public function __construct($redirectURL) {
+               parent::__construct();
+
                 $this->redirectURL = $redirectURL;
                 $this->setStatus(Http::STATUS_SEE_OTHER);
                 $this->addHeader('Location', $redirectURL);
diff --git a/lib/public/AppFramework/Http/Response.php b/lib/public/AppFramework/Http/Response.php

index a6f5afd3c185edb78e3b673b0dfcf1284f8edd1d..98c0a7f5f70cfb185170c966e3aa6bed3a6452bc 100644 (file)
--- a/lib/public/AppFramework/Http/Response.php
+++ b/lib/public/AppFramework/Http/Response.php
@@ -89,6 +89,15 @@ class Response {
         /** @var array */
         private $throttleMetadata = [];
  
+       /**
+        * Response constructor.
+        *
+        * @since 17.0.0
+        */
+       public function __construct() {
+               $this->setContentSecurityPolicy(new EmptyContentSecurityPolicy());
+       }
+
         /**
          * Caches the response
          * @param int $cacheSeconds the amount of seconds that should be cached
diff --git a/lib/public/AppFramework/Http/StreamResponse.php b/lib/public/AppFramework/Http/StreamResponse.php

index 8ffc94dc8f1b758d6a6efe07994c93e45d3eaa5c..d8a183bba5045c2e783517f61fa9100d193924f2 100644 (file)
--- a/lib/public/AppFramework/Http/StreamResponse.php
+++ b/lib/public/AppFramework/Http/StreamResponse.php
@@ -42,6 +42,8 @@ class StreamResponse extends Response implements ICallbackResponse {
          * @since 8.1.0
          */
         public function __construct ($filePath) {
+               parent::__construct();
+
                 $this->filePath = $filePath;
         }
  
diff --git a/lib/public/AppFramework/Http/TemplateResponse.php b/lib/public/AppFramework/Http/TemplateResponse.php

index f6436038cc355d021325cfbca7bbebd15206d85c..334928cc03c2a0b156362a52e5ff1dce55c0dea1 100644 (file)
--- a/lib/public/AppFramework/Http/TemplateResponse.php
+++ b/lib/public/AppFramework/Http/TemplateResponse.php
@@ -75,10 +75,14 @@ class TemplateResponse extends Response {
          */
         public function __construct($appName, $templateName, array $params=array(),
                                     $renderAs='user') {
+               parent::__construct();
+
                 $this->templateName = $templateName;
                 $this->appName = $appName;
                 $this->params = $params;
                 $this->renderAs = $renderAs;
+
+               $this->setContentSecurityPolicy(new ContentSecurityPolicy());
         }
  
  
diff --git a/lib/public/AppFramework/Http/ZipResponse.php b/lib/public/AppFramework/Http/ZipResponse.php

index 630efb38c7d73c42a64d5f4a34f100c7ba65e1f8..bec0812ab0cd46e13c81bd87d3b2f83d1cc424dd 100644 (file)
--- a/lib/public/AppFramework/Http/ZipResponse.php
+++ b/lib/public/AppFramework/Http/ZipResponse.php
@@ -44,6 +44,8 @@ class ZipResponse extends Response implements ICallbackResponse {
          * @since 15.0.0
          */
         public function __construct(IRequest $request, string $name = 'output') {
+               parent::__construct();
+
                 $this->name = $name;
                 $this->request = $request;
         }
diff --git a/tests/lib/AppFramework/Controller/ControllerTest.php b/tests/lib/AppFramework/Controller/ControllerTest.php

index 3d1d7e66e8489140da74a80589fc778b16af5b99..c37a2a3456c26bd66f1cf6d2134ec06c0f3e97bb 100644 (file)
--- a/tests/lib/AppFramework/Controller/ControllerTest.php
+++ b/tests/lib/AppFramework/Controller/ControllerTest.php
@@ -116,7 +116,7 @@ class ControllerTest extends \Test\TestCase {
                         'test' => 'something',
                         'Cache-Control' => 'no-cache, no-store, must-revalidate',
                         'Content-Type' => 'application/json; charset=utf-8',
-                       'Content-Security-Policy' => "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self'",
+                       'Content-Security-Policy' => "default-src 'none';base-uri 'none';manifest-src 'self'",
                 ];
  
                 $response = $this->controller->customDataResponse(array('hi'));
diff --git a/tests/lib/AppFramework/Http/DataResponseTest.php b/tests/lib/AppFramework/Http/DataResponseTest.php

index 67ffdde8669e8fee86c5b38d2d31e40fb7237b3d..e0eca83f6e9d5d066ea0fb3ac217347672a4240f 100644 (file)
--- a/tests/lib/AppFramework/Http/DataResponseTest.php
+++ b/tests/lib/AppFramework/Http/DataResponseTest.php
@@ -68,7 +68,7 @@ class DataResponseTest extends \Test\TestCase {
  
                 $expectedHeaders = [
                         'Cache-Control' => 'no-cache, no-store, must-revalidate',
-                       'Content-Security-Policy' => "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self'",
+                       'Content-Security-Policy' => "default-src 'none';base-uri 'none';manifest-src 'self'",
                 ];
                 $expectedHeaders = array_merge($expectedHeaders, $headers);
  
diff --git a/tests/lib/AppFramework/Http/ResponseTest.php b/tests/lib/AppFramework/Http/ResponseTest.php

index 18a9a398f72531125216c06e9e0494af8cede10a..e840111db1945a616c24934c025b13537fe74bee 100644 (file)
--- a/tests/lib/AppFramework/Http/ResponseTest.php
+++ b/tests/lib/AppFramework/Http/ResponseTest.php
@@ -59,7 +59,7 @@ class ResponseTest extends \Test\TestCase {
  
                 $this->childResponse->setHeaders($expected);
                 $headers = $this->childResponse->getHeaders();
-               $expected['Content-Security-Policy'] = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self'";
+               $expected['Content-Security-Policy'] = "default-src 'none';base-uri 'none';manifest-src 'self'";
  
                 $this->assertEquals($expected, $headers);
         }
@@ -86,7 +86,7 @@ class ResponseTest extends \Test\TestCase {
         }
  
         public function testGetCspEmpty() {
-               $this->assertNull($this->childResponse->getContentSecurityPolicy());
+               $this->assertEquals(new Http\EmptyContentSecurityPolicy(), $this->childResponse->getContentSecurityPolicy());
         }
  
         public function testAddHeaderValueNullDeletesIt(){
author	Roeland Jago Douma <roeland@famdouma.nl>
	Wed, 3 Apr 2019 16:42:34 +0000 (18:42 +0200)
committer	Roeland Jago Douma <roeland@famdouma.nl>
	Tue, 16 Apr 2019 12:09:39 +0000 (14:09 +0200)
lib/public/AppFramework/Http/DataDisplayResponse.php		patch \| blob \| history
lib/public/AppFramework/Http/DataResponse.php		patch \| blob \| history
lib/public/AppFramework/Http/DownloadResponse.php		patch \| blob \| history
lib/public/AppFramework/Http/FileDisplayResponse.php		patch \| blob \| history
lib/public/AppFramework/Http/JSONResponse.php		patch \| blob \| history
lib/public/AppFramework/Http/NotFoundResponse.php		patch \| blob \| history
lib/public/AppFramework/Http/OCSResponse.php		patch \| blob \| history
lib/public/AppFramework/Http/RedirectResponse.php		patch \| blob \| history
lib/public/AppFramework/Http/Response.php		patch \| blob \| history
lib/public/AppFramework/Http/StreamResponse.php		patch \| blob \| history
lib/public/AppFramework/Http/TemplateResponse.php		patch \| blob \| history
lib/public/AppFramework/Http/ZipResponse.php		patch \| blob \| history
tests/lib/AppFramework/Controller/ControllerTest.php		patch \| blob \| history
tests/lib/AppFramework/Http/DataResponseTest.php		patch \| blob \| history
tests/lib/AppFramework/Http/ResponseTest.php		patch \| blob \| history