Allow "wasm-unsafe-eval" in CSPtags/v28.0.0beta1
@@ -64,6 +64,14 @@ class ContentSecurityPolicy extends \OCP\AppFramework\Http\ContentSecurityPolicy | |||
$this->evalScriptAllowed = $evalScriptAllowed; | |||
} | |||
public function isEvalWasmAllowed(): ?bool { | |||
return $this->evalWasmAllowed; | |||
} | |||
public function setEvalWasmAllowed(bool $evalWasmAllowed): void { | |||
$this->evalWasmAllowed = $evalWasmAllowed; | |||
} | |||
/** | |||
* @return array | |||
*/ |
@@ -44,6 +44,8 @@ class ContentSecurityPolicy extends EmptyContentSecurityPolicy { | |||
protected $inlineScriptAllowed = false; | |||
/** @var bool Whether eval in JS scripts is allowed */ | |||
protected $evalScriptAllowed = false; | |||
/** @var bool Whether WebAssembly compilation is allowed */ | |||
protected ?bool $evalWasmAllowed = false; | |||
/** @var bool Whether strict-dynamic should be set */ | |||
protected $strictDynamicAllowed = false; | |||
/** @var array Domains from which scripts can get loaded */ |
@@ -47,6 +47,8 @@ class EmptyContentSecurityPolicy { | |||
* @link https://github.com/owncloud/core/issues/11925 | |||
*/ | |||
protected $evalScriptAllowed = null; | |||
/** @var bool Whether WebAssembly compilation is allowed */ | |||
protected ?bool $evalWasmAllowed = null; | |||
/** @var array Domains from which scripts can get loaded */ | |||
protected $allowedScriptDomains = null; | |||
/** | |||
@@ -116,6 +118,17 @@ class EmptyContentSecurityPolicy { | |||
return $this; | |||
} | |||
/** | |||
* Whether WebAssembly compilation is allowed or forbidden | |||
* @param bool $state | |||
* @return $this | |||
* @since 28.0.0 | |||
*/ | |||
public function allowEvalWasm(bool $state = true) { | |||
$this->evalWasmAllowed = $state; | |||
return $this; | |||
} | |||
/** | |||
* Allows to execute JavaScript files from a specific domain. Use * to | |||
* allow JavaScript from all domains. | |||
@@ -433,7 +446,7 @@ class EmptyContentSecurityPolicy { | |||
$policy .= "base-uri 'none';"; | |||
$policy .= "manifest-src 'self';"; | |||
if (!empty($this->allowedScriptDomains) || $this->evalScriptAllowed) { | |||
if (!empty($this->allowedScriptDomains) || $this->evalScriptAllowed || $this->evalWasmAllowed) { | |||
$policy .= 'script-src '; | |||
if (is_string($this->useJsNonce)) { | |||
if ($this->strictDynamicAllowed) { | |||
@@ -453,6 +466,9 @@ class EmptyContentSecurityPolicy { | |||
if ($this->evalScriptAllowed) { | |||
$policy .= ' \'unsafe-eval\''; | |||
} | |||
if ($this->evalWasmAllowed) { | |||
$policy .= ' \'wasm-unsafe-eval\''; | |||
} | |||
$policy .= ';'; | |||
} | |||
@@ -46,6 +46,8 @@ class StrictContentSecurityPolicy extends EmptyContentSecurityPolicy { | |||
protected $inlineScriptAllowed = false; | |||
/** @var bool Whether eval in JS scripts is allowed */ | |||
protected $evalScriptAllowed = false; | |||
/** @var bool Whether WebAssembly compilation is allowed */ | |||
protected ?bool $evalWasmAllowed = false; | |||
/** @var array Domains from which scripts can get loaded */ | |||
protected $allowedScriptDomains = [ | |||
'\'self\'', |
@@ -456,6 +456,13 @@ class ContentSecurityPolicyTest extends \Test\TestCase { | |||
$this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy()); | |||
} | |||
public function testGetPolicyUnsafeWasmEval() { | |||
$expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self' 'wasm-unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'"; | |||
$this->contentSecurityPolicy->allowEvalWasm(true); | |||
$this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy()); | |||
} | |||
public function testGetPolicyNonce() { | |||
$nonce = 'my-nonce'; | |||
$expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'nonce-".base64_encode($nonce) . "';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'"; |
@@ -75,6 +75,13 @@ class EmptyContentSecurityPolicyTest extends \Test\TestCase { | |||
$this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy()); | |||
} | |||
public function testGetPolicyScriptAllowWasmEval() { | |||
$expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'wasm-unsafe-eval';frame-ancestors 'none'"; | |||
$this->contentSecurityPolicy->allowEvalWasm(true); | |||
$this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy()); | |||
} | |||
public function testGetPolicyStyleDomainValid() { | |||
$expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';style-src www.owncloud.com;frame-ancestors 'none'"; | |||