Browse Source
Merge pull request #38082 from nextcloud/allow-wasm-unsafe-eval-in-csp
Allow "wasm-unsafe-eval" in CSPtags/v28.0.0beta1
Joas Schilling
10 months ago
6 changed files with 43 additions and 1 deletions
+ 8
- 0
lib/private/Security/CSP/ContentSecurityPolicy.php
View File
| $this->evalScriptAllowed = $evalScriptAllowed; | $this->evalScriptAllowed = $evalScriptAllowed; | ||||
| } | } | ||||
| public function isEvalWasmAllowed(): ?bool { | |||||
| return $this->evalWasmAllowed; | |||||
| } | |||||
| public function setEvalWasmAllowed(bool $evalWasmAllowed): void { | |||||
| $this->evalWasmAllowed = $evalWasmAllowed; | |||||
| } | |||||
| /** | /** | ||||
| * @return array | * @return array | ||||
| */ | */ |
+ 2
- 0
lib/public/AppFramework/Http/ContentSecurityPolicy.php
View File
| protected $inlineScriptAllowed = false; | protected $inlineScriptAllowed = false; | ||||
| /** @var bool Whether eval in JS scripts is allowed */ | /** @var bool Whether eval in JS scripts is allowed */ | ||||
| protected $evalScriptAllowed = false; | protected $evalScriptAllowed = false; | ||||
| /** @var bool Whether WebAssembly compilation is allowed */ | |||||
| protected ?bool $evalWasmAllowed = false; | |||||
| /** @var bool Whether strict-dynamic should be set */ | /** @var bool Whether strict-dynamic should be set */ | ||||
| protected $strictDynamicAllowed = false; | protected $strictDynamicAllowed = false; | ||||
| /** @var array Domains from which scripts can get loaded */ | /** @var array Domains from which scripts can get loaded */ |
+ 17
- 1
lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php
View File
| * @link https://github.com/owncloud/core/issues/11925 | * @link https://github.com/owncloud/core/issues/11925 | ||||
| */ | */ | ||||
| protected $evalScriptAllowed = null; | protected $evalScriptAllowed = null; | ||||
| /** @var bool Whether WebAssembly compilation is allowed */ | |||||
| protected ?bool $evalWasmAllowed = null; | |||||
| /** @var array Domains from which scripts can get loaded */ | /** @var array Domains from which scripts can get loaded */ | ||||
| protected $allowedScriptDomains = null; | protected $allowedScriptDomains = null; | ||||
| /** | /** | ||||
| return $this; | return $this; | ||||
| } | } | ||||
| /** | |||||
| * Whether WebAssembly compilation is allowed or forbidden | |||||
| * @param bool $state | |||||
| * @return $this | |||||
| * @since 28.0.0 | |||||
| */ | |||||
| public function allowEvalWasm(bool $state = true) { | |||||
| $this->evalWasmAllowed = $state; | |||||
| return $this; | |||||
| } | |||||
| /** | /** | ||||
| * Allows to execute JavaScript files from a specific domain. Use * to | * Allows to execute JavaScript files from a specific domain. Use * to | ||||
| * allow JavaScript from all domains. | * allow JavaScript from all domains. | ||||
| $policy .= "base-uri 'none';"; | $policy .= "base-uri 'none';"; | ||||
| $policy .= "manifest-src 'self';"; | $policy .= "manifest-src 'self';"; | ||||
| if (!empty($this->allowedScriptDomains) || $this->evalScriptAllowed) { | |||||
| if (!empty($this->allowedScriptDomains) || $this->evalScriptAllowed || $this->evalWasmAllowed) { | |||||
| $policy .= 'script-src '; | $policy .= 'script-src '; | ||||
| if (is_string($this->useJsNonce)) { | if (is_string($this->useJsNonce)) { | ||||
| if ($this->strictDynamicAllowed) { | if ($this->strictDynamicAllowed) { | ||||
| if ($this->evalScriptAllowed) { | if ($this->evalScriptAllowed) { | ||||
| $policy .= ' \'unsafe-eval\''; | $policy .= ' \'unsafe-eval\''; | ||||
| } | } | ||||
| if ($this->evalWasmAllowed) { | |||||
| $policy .= ' \'wasm-unsafe-eval\''; | |||||
| } | |||||
| $policy .= ';'; | $policy .= ';'; | ||||
| } | } | ||||
+ 2
- 0
lib/public/AppFramework/Http/StrictContentSecurityPolicy.php
View File
| protected $inlineScriptAllowed = false; | protected $inlineScriptAllowed = false; | ||||
| /** @var bool Whether eval in JS scripts is allowed */ | /** @var bool Whether eval in JS scripts is allowed */ | ||||
| protected $evalScriptAllowed = false; | protected $evalScriptAllowed = false; | ||||
| /** @var bool Whether WebAssembly compilation is allowed */ | |||||
| protected ?bool $evalWasmAllowed = false; | |||||
| /** @var array Domains from which scripts can get loaded */ | /** @var array Domains from which scripts can get loaded */ | ||||
| protected $allowedScriptDomains = [ | protected $allowedScriptDomains = [ | ||||
| '\'self\'', | '\'self\'', |
+ 7
- 0
tests/lib/AppFramework/Http/ContentSecurityPolicyTest.php
View File
| $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy()); | $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy()); | ||||
| } | } | ||||
| public function testGetPolicyUnsafeWasmEval() { | |||||
| $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self' 'wasm-unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'"; | |||||
| $this->contentSecurityPolicy->allowEvalWasm(true); | |||||
| $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy()); | |||||
| } | |||||
| public function testGetPolicyNonce() { | public function testGetPolicyNonce() { | ||||
| $nonce = 'my-nonce'; | $nonce = 'my-nonce'; | ||||
| $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'nonce-".base64_encode($nonce) . "';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'"; | $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'nonce-".base64_encode($nonce) . "';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'"; |
+ 7
- 0
tests/lib/AppFramework/Http/EmptyContentSecurityPolicyTest.php
View File
| $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy()); | $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy()); | ||||
| } | } | ||||
| public function testGetPolicyScriptAllowWasmEval() { | |||||
| $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'wasm-unsafe-eval';frame-ancestors 'none'"; | |||||
| $this->contentSecurityPolicy->allowEvalWasm(true); | |||||
| $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy()); | |||||
| } | |||||
| public function testGetPolicyStyleDomainValid() { | public function testGetPolicyStyleDomainValid() { | ||||
| $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';style-src www.owncloud.com;frame-ancestors 'none'"; | $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';style-src www.owncloud.com;frame-ancestors 'none'"; | ||||
Loading…