]> source.dussan.org Git - nextcloud-server.git/commitdiff
projects / nextcloud-server.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 7df9eb3)
fix!(ContentSecurityPolicy): Make `strict-dynamic` enabled by default on `script... 41571/head
authorFerdinand Thiessen <opensource@fthiessen.de>
Fri, 17 Nov 2023 10:07:35 +0000 (11:07 +0100)
committerFerdinand Thiessen <opensource@fthiessen.de>
Fri, 17 Nov 2023 13:42:36 +0000 (14:42 +0100)
Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
lib/public/AppFramework/Http/ContentSecurityPolicy.php patch | blob | history
tests/lib/AppFramework/Http/ContentSecurityPolicyTest.php patch | blob | history
tests/lib/Security/CSP/ContentSecurityPolicyManagerTest.php patch | blob | history

diff --git a/lib/public/AppFramework/Http/ContentSecurityPolicy.php b/lib/public/AppFramework/Http/ContentSecurityPolicy.php
index 386d908ffb66d11492e07b0344e5bd8d0c9ceaa3..7f93f7004d9695f7338d0ab17debd49e27723b31 100644 (file)
--- a/lib/public/AppFramework/Http/ContentSecurityPolicy.php
+++ b/lib/public/AppFramework/Http/ContentSecurityPolicy.php
@@ -49,7 +49,7 @@ class ContentSecurityPolicy extends EmptyContentSecurityPolicy {
        /** @var bool Whether strict-dynamic should be set */
        protected $strictDynamicAllowed = false;
        /** @var bool Whether strict-dynamic should be set for 'script-src-elem' */
-       protected $strictDynamicAllowedOnScripts = false;
+       protected $strictDynamicAllowedOnScripts = true;
        /** @var array Domains from which scripts can get loaded */
        protected $allowedScriptDomains = [
                '\'self\'',
diff --git a/tests/lib/AppFramework/Http/ContentSecurityPolicyTest.php b/tests/lib/AppFramework/Http/ContentSecurityPolicyTest.php
index 4fd21859bf7f3e475a408ad83987536890a14b6c..97412f1de23a6d4f9a3b4a114c26564b8a1d486d 100644 (file)
--- a/tests/lib/AppFramework/Http/ContentSecurityPolicyTest.php
+++ b/tests/lib/AppFramework/Http/ContentSecurityPolicyTest.php
@@ -25,19 +25,19 @@ class ContentSecurityPolicyTest extends \Test\TestCase {
        }
 
        public function testGetPolicyDefault() {
-               $defaultPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
+               $defaultPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';script-src-elem 'strict-dynamic' 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
                $this->assertSame($defaultPolicy, $this->contentSecurityPolicy->buildPolicy());
        }
 
        public function testGetPolicyScriptDomainValid() {
-               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self' www.owncloud.com;style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
+               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self' www.owncloud.com;script-src-elem 'strict-dynamic' 'self' www.owncloud.com;style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
 
                $this->contentSecurityPolicy->addAllowedScriptDomain('www.owncloud.com');
                $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
        }
 
        public function testGetPolicyScriptDomainValidMultiple() {
-               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self' www.owncloud.com www.owncloud.org;style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
+               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self' www.owncloud.com www.owncloud.org;script-src-elem 'strict-dynamic' 'self' www.owncloud.com www.owncloud.org;style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
 
                $this->contentSecurityPolicy->addAllowedScriptDomain('www.owncloud.com');
                $this->contentSecurityPolicy->addAllowedScriptDomain('www.owncloud.org');
@@ -45,7 +45,7 @@ class ContentSecurityPolicyTest extends \Test\TestCase {
        }
 
        public function testGetPolicyDisallowScriptDomain() {
-               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
+               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';script-src-elem 'strict-dynamic' 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
 
                $this->contentSecurityPolicy->addAllowedScriptDomain('www.owncloud.com');
                $this->contentSecurityPolicy->disallowScriptDomain('www.owncloud.com');
@@ -53,7 +53,7 @@ class ContentSecurityPolicyTest extends \Test\TestCase {
        }
 
        public function testGetPolicyDisallowScriptDomainMultiple() {
-               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self' www.owncloud.com;style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
+               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self' www.owncloud.com;script-src-elem 'strict-dynamic' 'self' www.owncloud.com;style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
 
                $this->contentSecurityPolicy->addAllowedScriptDomain('www.owncloud.com');
                $this->contentSecurityPolicy->disallowScriptDomain('www.owncloud.org');
@@ -61,7 +61,7 @@ class ContentSecurityPolicyTest extends \Test\TestCase {
        }
 
        public function testGetPolicyDisallowScriptDomainMultipleStacked() {
-               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
+               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';script-src-elem 'strict-dynamic' 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
 
                $this->contentSecurityPolicy->addAllowedScriptDomain('www.owncloud.com');
                $this->contentSecurityPolicy->disallowScriptDomain('www.owncloud.org')->disallowScriptDomain('www.owncloud.com');
@@ -69,21 +69,21 @@ class ContentSecurityPolicyTest extends \Test\TestCase {
        }
 
        public function testGetPolicyScriptDisallowEval() {
-               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
+               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';script-src-elem 'strict-dynamic' 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
 
                $this->contentSecurityPolicy->allowEvalScript(false);
                $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
        }
 
        public function testGetPolicyStyleDomainValid() {
-               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' www.owncloud.com 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
+               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';script-src-elem 'strict-dynamic' 'self';style-src 'self' www.owncloud.com 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
 
                $this->contentSecurityPolicy->addAllowedStyleDomain('www.owncloud.com');
                $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
        }
 
        public function testGetPolicyStyleDomainValidMultiple() {
-               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' www.owncloud.com www.owncloud.org 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
+               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';script-src-elem 'strict-dynamic' 'self';style-src 'self' www.owncloud.com www.owncloud.org 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
 
                $this->contentSecurityPolicy->addAllowedStyleDomain('www.owncloud.com');
                $this->contentSecurityPolicy->addAllowedStyleDomain('www.owncloud.org');
@@ -91,7 +91,7 @@ class ContentSecurityPolicyTest extends \Test\TestCase {
        }
 
        public function testGetPolicyDisallowStyleDomain() {
-               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
+               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';script-src-elem 'strict-dynamic' 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
 
                $this->contentSecurityPolicy->addAllowedStyleDomain('www.owncloud.com');
                $this->contentSecurityPolicy->disallowStyleDomain('www.owncloud.com');
@@ -99,7 +99,7 @@ class ContentSecurityPolicyTest extends \Test\TestCase {
        }
 
        public function testGetPolicyDisallowStyleDomainMultiple() {
-               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' www.owncloud.com 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
+               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';script-src-elem 'strict-dynamic' 'self';style-src 'self' www.owncloud.com 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
 
                $this->contentSecurityPolicy->addAllowedStyleDomain('www.owncloud.com');
                $this->contentSecurityPolicy->disallowStyleDomain('www.owncloud.org');
@@ -107,7 +107,7 @@ class ContentSecurityPolicyTest extends \Test\TestCase {
        }
 
        public function testGetPolicyDisallowStyleDomainMultipleStacked() {
-               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
+               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';script-src-elem 'strict-dynamic' 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
 
                $this->contentSecurityPolicy->addAllowedStyleDomain('www.owncloud.com');
                $this->contentSecurityPolicy->disallowStyleDomain('www.owncloud.org')->disallowStyleDomain('www.owncloud.com');
@@ -115,35 +115,35 @@ class ContentSecurityPolicyTest extends \Test\TestCase {
        }
 
        public function testGetPolicyStyleAllowInline() {
-               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
+               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';script-src-elem 'strict-dynamic' 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
 
                $this->contentSecurityPolicy->allowInlineStyle(true);
                $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
        }
 
        public function testGetPolicyStyleAllowInlineWithDomain() {
-               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' www.owncloud.com 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
+               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';script-src-elem 'strict-dynamic' 'self';style-src 'self' www.owncloud.com 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
 
                $this->contentSecurityPolicy->addAllowedStyleDomain('www.owncloud.com');
                $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
        }
 
        public function testGetPolicyStyleDisallowInline() {
-               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
+               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';script-src-elem 'strict-dynamic' 'self';style-src 'self';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
 
                $this->contentSecurityPolicy->allowInlineStyle(false);
                $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
        }
 
        public function testGetPolicyImageDomainValid() {
-               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob: www.owncloud.com;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
+               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';script-src-elem 'strict-dynamic' 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob: www.owncloud.com;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
 
                $this->contentSecurityPolicy->addAllowedImageDomain('www.owncloud.com');
                $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
        }
 
        public function testGetPolicyImageDomainValidMultiple() {
-               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob: www.owncloud.com www.owncloud.org;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
+               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';script-src-elem 'strict-dynamic' 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob: www.owncloud.com www.owncloud.org;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
 
                $this->contentSecurityPolicy->addAllowedImageDomain('www.owncloud.com');
                $this->contentSecurityPolicy->addAllowedImageDomain('www.owncloud.org');
@@ -151,7 +151,7 @@ class ContentSecurityPolicyTest extends \Test\TestCase {
        }
 
        public function testGetPolicyDisallowImageDomain() {
-               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
+               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';script-src-elem 'strict-dynamic' 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
 
                $this->contentSecurityPolicy->addAllowedImageDomain('www.owncloud.com');
                $this->contentSecurityPolicy->disallowImageDomain('www.owncloud.com');
@@ -159,7 +159,7 @@ class ContentSecurityPolicyTest extends \Test\TestCase {
        }
 
        public function testGetPolicyDisallowImageDomainMultiple() {
-               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob: www.owncloud.com;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
+               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';script-src-elem 'strict-dynamic' 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob: www.owncloud.com;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
 
                $this->contentSecurityPolicy->addAllowedImageDomain('www.owncloud.com');
                $this->contentSecurityPolicy->disallowImageDomain('www.owncloud.org');
@@ -167,7 +167,7 @@ class ContentSecurityPolicyTest extends \Test\TestCase {
        }
 
        public function testGetPolicyDisallowImageDomainMultipleStakes() {
-               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
+               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';script-src-elem 'strict-dynamic' 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
 
                $this->contentSecurityPolicy->addAllowedImageDomain('www.owncloud.com');
                $this->contentSecurityPolicy->disallowImageDomain('www.owncloud.org')->disallowImageDomain('www.owncloud.com');
@@ -175,14 +175,14 @@ class ContentSecurityPolicyTest extends \Test\TestCase {
        }
 
        public function testGetPolicyFontDomainValid() {
-               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data: www.owncloud.com;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
+               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';script-src-elem 'strict-dynamic' 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data: www.owncloud.com;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
 
                $this->contentSecurityPolicy->addAllowedFontDomain('www.owncloud.com');
                $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
        }
 
        public function testGetPolicyFontDomainValidMultiple() {
-               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data: www.owncloud.com www.owncloud.org;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
+               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';script-src-elem 'strict-dynamic' 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data: www.owncloud.com www.owncloud.org;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
 
                $this->contentSecurityPolicy->addAllowedFontDomain('www.owncloud.com');
                $this->contentSecurityPolicy->addAllowedFontDomain('www.owncloud.org');
@@ -190,7 +190,7 @@ class ContentSecurityPolicyTest extends \Test\TestCase {
        }
 
        public function testGetPolicyDisallowFontDomain() {
-               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
+               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';script-src-elem 'strict-dynamic' 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
 
                $this->contentSecurityPolicy->addAllowedFontDomain('www.owncloud.com');
                $this->contentSecurityPolicy->disallowFontDomain('www.owncloud.com');
@@ -198,7 +198,7 @@ class ContentSecurityPolicyTest extends \Test\TestCase {
        }
 
        public function testGetPolicyDisallowFontDomainMultiple() {
-               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data: www.owncloud.com;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
+               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';script-src-elem 'strict-dynamic' 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data: www.owncloud.com;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
 
                $this->contentSecurityPolicy->addAllowedFontDomain('www.owncloud.com');
                $this->contentSecurityPolicy->disallowFontDomain('www.owncloud.org');
@@ -206,7 +206,7 @@ class ContentSecurityPolicyTest extends \Test\TestCase {
        }
 
        public function testGetPolicyDisallowFontDomainMultipleStakes() {
-               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
+               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';script-src-elem 'strict-dynamic' 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
 
                $this->contentSecurityPolicy->addAllowedFontDomain('www.owncloud.com');
                $this->contentSecurityPolicy->disallowFontDomain('www.owncloud.org')->disallowFontDomain('www.owncloud.com');
@@ -214,14 +214,14 @@ class ContentSecurityPolicyTest extends \Test\TestCase {
        }
 
        public function testGetPolicyConnectDomainValid() {
-               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self' www.owncloud.com;media-src 'self';frame-ancestors 'self';form-action 'self'";
+               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';script-src-elem 'strict-dynamic' 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self' www.owncloud.com;media-src 'self';frame-ancestors 'self';form-action 'self'";
 
                $this->contentSecurityPolicy->addAllowedConnectDomain('www.owncloud.com');
                $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
        }
 
        public function testGetPolicyConnectDomainValidMultiple() {
-               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self' www.owncloud.com www.owncloud.org;media-src 'self';frame-ancestors 'self';form-action 'self'";
+               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';script-src-elem 'strict-dynamic' 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self' www.owncloud.com www.owncloud.org;media-src 'self';frame-ancestors 'self';form-action 'self'";
 
                $this->contentSecurityPolicy->addAllowedConnectDomain('www.owncloud.com');
                $this->contentSecurityPolicy->addAllowedConnectDomain('www.owncloud.org');
@@ -229,7 +229,7 @@ class ContentSecurityPolicyTest extends \Test\TestCase {
        }
 
        public function testGetPolicyDisallowConnectDomain() {
-               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
+               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';script-src-elem 'strict-dynamic' 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
 
                $this->contentSecurityPolicy->addAllowedConnectDomain('www.owncloud.com');
                $this->contentSecurityPolicy->disallowConnectDomain('www.owncloud.com');
@@ -237,7 +237,7 @@ class ContentSecurityPolicyTest extends \Test\TestCase {
        }
 
        public function testGetPolicyDisallowConnectDomainMultiple() {
-               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self' www.owncloud.com;media-src 'self';frame-ancestors 'self';form-action 'self'";
+               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';script-src-elem 'strict-dynamic' 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self' www.owncloud.com;media-src 'self';frame-ancestors 'self';form-action 'self'";
 
                $this->contentSecurityPolicy->addAllowedConnectDomain('www.owncloud.com');
                $this->contentSecurityPolicy->disallowConnectDomain('www.owncloud.org');
@@ -245,7 +245,7 @@ class ContentSecurityPolicyTest extends \Test\TestCase {
        }
 
        public function testGetPolicyDisallowConnectDomainMultipleStakes() {
-               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
+               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';script-src-elem 'strict-dynamic' 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
 
                $this->contentSecurityPolicy->addAllowedConnectDomain('www.owncloud.com');
                $this->contentSecurityPolicy->disallowConnectDomain('www.owncloud.org')->disallowConnectDomain('www.owncloud.com');
@@ -253,14 +253,14 @@ class ContentSecurityPolicyTest extends \Test\TestCase {
        }
 
        public function testGetPolicyMediaDomainValid() {
-               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self' www.owncloud.com;frame-ancestors 'self';form-action 'self'";
+               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';script-src-elem 'strict-dynamic' 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self' www.owncloud.com;frame-ancestors 'self';form-action 'self'";
 
                $this->contentSecurityPolicy->addAllowedMediaDomain('www.owncloud.com');
                $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
        }
 
        public function testGetPolicyMediaDomainValidMultiple() {
-               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self' www.owncloud.com www.owncloud.org;frame-ancestors 'self';form-action 'self'";
+               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';script-src-elem 'strict-dynamic' 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self' www.owncloud.com www.owncloud.org;frame-ancestors 'self';form-action 'self'";
 
                $this->contentSecurityPolicy->addAllowedMediaDomain('www.owncloud.com');
                $this->contentSecurityPolicy->addAllowedMediaDomain('www.owncloud.org');
@@ -268,7 +268,7 @@ class ContentSecurityPolicyTest extends \Test\TestCase {
        }
 
        public function testGetPolicyDisallowMediaDomain() {
-               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
+               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';script-src-elem 'strict-dynamic' 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
 
                $this->contentSecurityPolicy->addAllowedMediaDomain('www.owncloud.com');
                $this->contentSecurityPolicy->disallowMediaDomain('www.owncloud.com');
@@ -276,7 +276,7 @@ class ContentSecurityPolicyTest extends \Test\TestCase {
        }
 
        public function testGetPolicyDisallowMediaDomainMultiple() {
-               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self' www.owncloud.com;frame-ancestors 'self';form-action 'self'";
+               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';script-src-elem 'strict-dynamic' 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self' www.owncloud.com;frame-ancestors 'self';form-action 'self'";
 
                $this->contentSecurityPolicy->addAllowedMediaDomain('www.owncloud.com');
                $this->contentSecurityPolicy->disallowMediaDomain('www.owncloud.org');
@@ -284,7 +284,7 @@ class ContentSecurityPolicyTest extends \Test\TestCase {
        }
 
        public function testGetPolicyDisallowMediaDomainMultipleStakes() {
-               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
+               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';script-src-elem 'strict-dynamic' 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
 
                $this->contentSecurityPolicy->addAllowedMediaDomain('www.owncloud.com');
                $this->contentSecurityPolicy->disallowMediaDomain('www.owncloud.org')->disallowMediaDomain('www.owncloud.com');
@@ -292,14 +292,14 @@ class ContentSecurityPolicyTest extends \Test\TestCase {
        }
 
        public function testGetPolicyObjectDomainValid() {
-               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';object-src www.owncloud.com;frame-ancestors 'self';form-action 'self'";
+               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';script-src-elem 'strict-dynamic' 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';object-src www.owncloud.com;frame-ancestors 'self';form-action 'self'";
 
                $this->contentSecurityPolicy->addAllowedObjectDomain('www.owncloud.com');
                $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
        }
 
        public function testGetPolicyObjectDomainValidMultiple() {
-               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';object-src www.owncloud.com www.owncloud.org;frame-ancestors 'self';form-action 'self'";
+               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';script-src-elem 'strict-dynamic' 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';object-src www.owncloud.com www.owncloud.org;frame-ancestors 'self';form-action 'self'";
 
                $this->contentSecurityPolicy->addAllowedObjectDomain('www.owncloud.com');
                $this->contentSecurityPolicy->addAllowedObjectDomain('www.owncloud.org');
@@ -307,7 +307,7 @@ class ContentSecurityPolicyTest extends \Test\TestCase {
        }
 
        public function testGetPolicyDisallowObjectDomain() {
-               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
+               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';script-src-elem 'strict-dynamic' 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
 
                $this->contentSecurityPolicy->addAllowedObjectDomain('www.owncloud.com');
                $this->contentSecurityPolicy->disallowObjectDomain('www.owncloud.com');
@@ -315,7 +315,7 @@ class ContentSecurityPolicyTest extends \Test\TestCase {
        }
 
        public function testGetPolicyDisallowObjectDomainMultiple() {
-               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';object-src www.owncloud.com;frame-ancestors 'self';form-action 'self'";
+               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';script-src-elem 'strict-dynamic' 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';object-src www.owncloud.com;frame-ancestors 'self';form-action 'self'";
 
                $this->contentSecurityPolicy->addAllowedObjectDomain('www.owncloud.com');
                $this->contentSecurityPolicy->disallowObjectDomain('www.owncloud.org');
@@ -323,7 +323,7 @@ class ContentSecurityPolicyTest extends \Test\TestCase {
        }
 
        public function testGetPolicyDisallowObjectDomainMultipleStakes() {
-               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
+               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';script-src-elem 'strict-dynamic' 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
 
                $this->contentSecurityPolicy->addAllowedObjectDomain('www.owncloud.com');
                $this->contentSecurityPolicy->disallowObjectDomain('www.owncloud.org')->disallowObjectDomain('www.owncloud.com');
@@ -331,14 +331,14 @@ class ContentSecurityPolicyTest extends \Test\TestCase {
        }
 
        public function testGetAllowedFrameDomain() {
-               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-src www.owncloud.com;frame-ancestors 'self';form-action 'self'";
+               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';script-src-elem 'strict-dynamic' 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-src www.owncloud.com;frame-ancestors 'self';form-action 'self'";
 
                $this->contentSecurityPolicy->addAllowedFrameDomain('www.owncloud.com');
                $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
        }
 
        public function testGetPolicyFrameDomainValidMultiple() {
-               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-src www.owncloud.com www.owncloud.org;frame-ancestors 'self';form-action 'self'";
+               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';script-src-elem 'strict-dynamic' 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-src www.owncloud.com www.owncloud.org;frame-ancestors 'self';form-action 'self'";
 
                $this->contentSecurityPolicy->addAllowedFrameDomain('www.owncloud.com');
                $this->contentSecurityPolicy->addAllowedFrameDomain('www.owncloud.org');
@@ -346,7 +346,7 @@ class ContentSecurityPolicyTest extends \Test\TestCase {
        }
 
        public function testGetPolicyDisallowFrameDomain() {
-               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
+               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';script-src-elem 'strict-dynamic' 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
 
                $this->contentSecurityPolicy->addAllowedFrameDomain('www.owncloud.com');
                $this->contentSecurityPolicy->disallowFrameDomain('www.owncloud.com');
@@ -354,7 +354,7 @@ class ContentSecurityPolicyTest extends \Test\TestCase {
        }
 
        public function testGetPolicyDisallowFrameDomainMultiple() {
-               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-src www.owncloud.com;frame-ancestors 'self';form-action 'self'";
+               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';script-src-elem 'strict-dynamic' 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-src www.owncloud.com;frame-ancestors 'self';form-action 'self'";
 
                $this->contentSecurityPolicy->addAllowedFrameDomain('www.owncloud.com');
                $this->contentSecurityPolicy->disallowFrameDomain('www.owncloud.org');
@@ -362,7 +362,7 @@ class ContentSecurityPolicyTest extends \Test\TestCase {
        }
 
        public function testGetPolicyDisallowFrameDomainMultipleStakes() {
-               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
+               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';script-src-elem 'strict-dynamic' 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
 
                $this->contentSecurityPolicy->addAllowedFrameDomain('www.owncloud.com');
                $this->contentSecurityPolicy->disallowFrameDomain('www.owncloud.org')->disallowFrameDomain('www.owncloud.com');
@@ -370,14 +370,14 @@ class ContentSecurityPolicyTest extends \Test\TestCase {
        }
 
        public function testGetAllowedChildSrcDomain() {
-               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';child-src child.owncloud.com;frame-ancestors 'self';form-action 'self'";
+               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';script-src-elem 'strict-dynamic' 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';child-src child.owncloud.com;frame-ancestors 'self';form-action 'self'";
 
                $this->contentSecurityPolicy->addAllowedChildSrcDomain('child.owncloud.com');
                $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
        }
 
        public function testGetPolicyChildSrcValidMultiple() {
-               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';child-src child.owncloud.com child.owncloud.org;frame-ancestors 'self';form-action 'self'";
+               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';script-src-elem 'strict-dynamic' 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';child-src child.owncloud.com child.owncloud.org;frame-ancestors 'self';form-action 'self'";
 
                $this->contentSecurityPolicy->addAllowedChildSrcDomain('child.owncloud.com');
                $this->contentSecurityPolicy->addAllowedChildSrcDomain('child.owncloud.org');
@@ -385,7 +385,7 @@ class ContentSecurityPolicyTest extends \Test\TestCase {
        }
 
        public function testGetPolicyDisallowChildSrcDomain() {
-               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
+               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';script-src-elem 'strict-dynamic' 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
 
                $this->contentSecurityPolicy->addAllowedChildSrcDomain('www.owncloud.com');
                $this->contentSecurityPolicy->disallowChildSrcDomain('www.owncloud.com');
@@ -393,7 +393,7 @@ class ContentSecurityPolicyTest extends \Test\TestCase {
        }
 
        public function testGetPolicyDisallowChildSrcDomainMultiple() {
-               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';child-src www.owncloud.com;frame-ancestors 'self';form-action 'self'";
+               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';script-src-elem 'strict-dynamic' 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';child-src www.owncloud.com;frame-ancestors 'self';form-action 'self'";
 
                $this->contentSecurityPolicy->addAllowedChildSrcDomain('www.owncloud.com');
                $this->contentSecurityPolicy->disallowChildSrcDomain('www.owncloud.org');
@@ -401,7 +401,7 @@ class ContentSecurityPolicyTest extends \Test\TestCase {
        }
 
        public function testGetPolicyDisallowChildSrcDomainMultipleStakes() {
-               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
+               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';script-src-elem 'strict-dynamic' 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
 
                $this->contentSecurityPolicy->addAllowedChildSrcDomain('www.owncloud.com');
                $this->contentSecurityPolicy->disallowChildSrcDomain('www.owncloud.org')->disallowChildSrcDomain('www.owncloud.com');
@@ -411,14 +411,14 @@ class ContentSecurityPolicyTest extends \Test\TestCase {
 
 
        public function testGetAllowedFrameAncestorDomain() {
-               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self' sub.nextcloud.com;form-action 'self'";
+               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';script-src-elem 'strict-dynamic' 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self' sub.nextcloud.com;form-action 'self'";
 
                $this->contentSecurityPolicy->addAllowedFrameAncestorDomain('sub.nextcloud.com');
                $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
        }
 
        public function testGetPolicyFrameAncestorValidMultiple() {
-               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self' sub.nextcloud.com foo.nextcloud.com;form-action 'self'";
+               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';script-src-elem 'strict-dynamic' 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self' sub.nextcloud.com foo.nextcloud.com;form-action 'self'";
 
                $this->contentSecurityPolicy->addAllowedFrameAncestorDomain('sub.nextcloud.com');
                $this->contentSecurityPolicy->addAllowedFrameAncestorDomain('foo.nextcloud.com');
@@ -426,7 +426,7 @@ class ContentSecurityPolicyTest extends \Test\TestCase {
        }
 
        public function testGetPolicyDisallowFrameAncestorDomain() {
-               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
+               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';script-src-elem 'strict-dynamic' 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
 
                $this->contentSecurityPolicy->addAllowedFrameAncestorDomain('www.nextcloud.com');
                $this->contentSecurityPolicy->disallowFrameAncestorDomain('www.nextcloud.com');
@@ -434,7 +434,7 @@ class ContentSecurityPolicyTest extends \Test\TestCase {
        }
 
        public function testGetPolicyDisallowFrameAncestorDomainMultiple() {
-               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self' www.nextcloud.com;form-action 'self'";
+               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';script-src-elem 'strict-dynamic' 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self' www.nextcloud.com;form-action 'self'";
 
                $this->contentSecurityPolicy->addAllowedFrameAncestorDomain('www.nextcloud.com');
                $this->contentSecurityPolicy->disallowFrameAncestorDomain('www.nextcloud.org');
@@ -442,7 +442,7 @@ class ContentSecurityPolicyTest extends \Test\TestCase {
        }
 
        public function testGetPolicyDisallowFrameAncestorDomainMultipleStakes() {
-               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
+               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';script-src-elem 'strict-dynamic' 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
 
                $this->contentSecurityPolicy->addAllowedChildSrcDomain('www.owncloud.com');
                $this->contentSecurityPolicy->disallowChildSrcDomain('www.owncloud.org')->disallowChildSrcDomain('www.owncloud.com');
@@ -450,14 +450,14 @@ class ContentSecurityPolicyTest extends \Test\TestCase {
        }
 
        public function testGetPolicyUnsafeEval() {
-               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
+               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self' 'unsafe-eval';script-src-elem 'strict-dynamic' 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
 
                $this->contentSecurityPolicy->allowEvalScript(true);
                $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
        }
 
        public function testGetPolicyUnsafeWasmEval() {
-               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self' 'wasm-unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
+               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self' 'wasm-unsafe-eval';script-src-elem 'strict-dynamic' 'self' 'wasm-unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
 
                $this->contentSecurityPolicy->allowEvalWasm(true);
                $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
@@ -467,6 +467,15 @@ class ContentSecurityPolicyTest extends \Test\TestCase {
                $nonce = 'my-nonce';
                $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'nonce-".base64_encode($nonce) . "';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
 
+               $this->contentSecurityPolicy->useJsNonce($nonce);
+               $this->contentSecurityPolicy->useStrictDynamicOnScripts(false);
+               $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
+       }
+
+       public function testGetPolicyNonceDefault() {
+               $nonce = 'my-nonce';
+               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'nonce-".base64_encode($nonce) . "';script-src-elem 'strict-dynamic' 'nonce-".base64_encode($nonce) . "';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
+
                $this->contentSecurityPolicy->useJsNonce($nonce);
                $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
        }
@@ -477,22 +486,23 @@ class ContentSecurityPolicyTest extends \Test\TestCase {
 
                $this->contentSecurityPolicy->useJsNonce($nonce);
                $this->contentSecurityPolicy->useStrictDynamic(true);
+               $this->contentSecurityPolicy->useStrictDynamicOnScripts(false);
                $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
        }
 
-       public function testGetPolicyNonceStrictDynamicOnScripts() {
+       public function testGetPolicyNonceStrictDynamicDefault() {
                $nonce = 'my-nonce';
-               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'nonce-".base64_encode($nonce) . "';script-src-elem 'strict-dynamic' 'nonce-".base64_encode($nonce) . "';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
+               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'strict-dynamic' 'nonce-".base64_encode($nonce) . "';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
 
                $this->contentSecurityPolicy->useJsNonce($nonce);
-               $this->contentSecurityPolicy->useStrictDynamicOnScripts(true);
+               $this->contentSecurityPolicy->useStrictDynamic(true);
                $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
        }
 
-       public function testGetPolicyStrictDynamicOnScripts() {
-               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';script-src-elem 'strict-dynamic' 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
+       public function testGetPolicyStrictDynamicOnScriptsOff() {
+               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
 
-               $this->contentSecurityPolicy->useStrictDynamicOnScripts(true);
+               $this->contentSecurityPolicy->useStrictDynamicOnScripts(false);
                $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
        }
 
@@ -503,17 +513,4 @@ class ContentSecurityPolicyTest extends \Test\TestCase {
                $this->contentSecurityPolicy->useStrictDynamicOnScripts(true);
                $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
        }
-
-       /**
-        * No duplication as we can fallback
-        */
-       public function testGetPolicyNonceStrictDynamicAndStrictDynamicOnScripts() {
-               $nonce = 'my-nonce';
-               $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'strict-dynamic' 'nonce-".base64_encode($nonce) . "';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
-
-               $this->contentSecurityPolicy->useJsNonce($nonce);
-               $this->contentSecurityPolicy->useStrictDynamic(true);
-               $this->contentSecurityPolicy->useStrictDynamicOnScripts(true);
-               $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
-       }
 }
diff --git a/tests/lib/Security/CSP/ContentSecurityPolicyManagerTest.php b/tests/lib/Security/CSP/ContentSecurityPolicyManagerTest.php
index 24acd3cabc9319612bb8a238e8ae98f813c1d21a..0af73f10c65fe986337f0abbe0b9ef59c10099bb 100644 (file)
--- a/tests/lib/Security/CSP/ContentSecurityPolicyManagerTest.php
+++ b/tests/lib/Security/CSP/ContentSecurityPolicyManagerTest.php
@@ -72,7 +72,7 @@ class ContentSecurityPolicyManagerTest extends TestCase {
                $expected->addAllowedImageDomain('anotherdomain.de');
                $expected->addAllowedImageDomain('example.org');
                $expected->addAllowedChildSrcDomain('childdomain');
-               $expectedStringPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob: anotherdomain.de example.org;font-src 'self' data: mydomain.com example.com anotherFontDomain;connect-src 'self';media-src 'self';child-src childdomain;frame-ancestors 'self';form-action 'self' thirdDomain";
+               $expectedStringPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self' 'unsafe-eval';script-src-elem 'strict-dynamic' 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob: anotherdomain.de example.org;font-src 'self' data: mydomain.com example.com anotherFontDomain;connect-src 'self';media-src 'self';child-src childdomain;frame-ancestors 'self';form-action 'self' thirdDomain";
 
                $this->assertEquals($expected, $this->contentSecurityPolicyManager->getDefaultPolicy());
                $this->assertSame($expectedStringPolicy, $this->contentSecurityPolicyManager->getDefaultPolicy()->buildPolicy());
@@ -115,7 +115,7 @@ class ContentSecurityPolicyManagerTest extends TestCase {
                $expected->addAllowedChildSrcDomain('childdomain');
                $expected->addAllowedFormActionDomain('thirdDomain');
                $expected->useStrictDynamic(true);
-               $expectedStringPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob: anotherdomain.de example.org;font-src 'self' data: mydomain.com example.com anotherFontDomain;connect-src 'self';media-src 'self';child-src childdomain;frame-ancestors 'self';form-action 'self' thirdDomain";
+               $expectedStringPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self' 'unsafe-eval';script-src-elem 'strict-dynamic' 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob: anotherdomain.de example.org;font-src 'self' data: mydomain.com example.com anotherFontDomain;connect-src 'self';media-src 'self';child-src childdomain;frame-ancestors 'self';form-action 'self' thirdDomain";
 
                $this->assertEquals($expected, $this->contentSecurityPolicyManager->getDefaultPolicy());
                $this->assertSame($expectedStringPolicy, $this->contentSecurityPolicyManager->getDefaultPolicy()->buildPolicy());
Nextcloud server, a safe home for all your data: https://github.com/nextcloud/server