Allow "wasm-unsafe-eval" in CSPtags/v28.0.0beta1
$this->evalScriptAllowed = $evalScriptAllowed; | $this->evalScriptAllowed = $evalScriptAllowed; | ||||
} | } | ||||
public function isEvalWasmAllowed(): ?bool { | |||||
return $this->evalWasmAllowed; | |||||
} | |||||
public function setEvalWasmAllowed(bool $evalWasmAllowed): void { | |||||
$this->evalWasmAllowed = $evalWasmAllowed; | |||||
} | |||||
/** | /** | ||||
* @return array | * @return array | ||||
*/ | */ |
protected $inlineScriptAllowed = false; | protected $inlineScriptAllowed = false; | ||||
/** @var bool Whether eval in JS scripts is allowed */ | /** @var bool Whether eval in JS scripts is allowed */ | ||||
protected $evalScriptAllowed = false; | protected $evalScriptAllowed = false; | ||||
/** @var bool Whether WebAssembly compilation is allowed */ | |||||
protected ?bool $evalWasmAllowed = false; | |||||
/** @var bool Whether strict-dynamic should be set */ | /** @var bool Whether strict-dynamic should be set */ | ||||
protected $strictDynamicAllowed = false; | protected $strictDynamicAllowed = false; | ||||
/** @var array Domains from which scripts can get loaded */ | /** @var array Domains from which scripts can get loaded */ |
* @link https://github.com/owncloud/core/issues/11925 | * @link https://github.com/owncloud/core/issues/11925 | ||||
*/ | */ | ||||
protected $evalScriptAllowed = null; | protected $evalScriptAllowed = null; | ||||
/** @var bool Whether WebAssembly compilation is allowed */ | |||||
protected ?bool $evalWasmAllowed = null; | |||||
/** @var array Domains from which scripts can get loaded */ | /** @var array Domains from which scripts can get loaded */ | ||||
protected $allowedScriptDomains = null; | protected $allowedScriptDomains = null; | ||||
/** | /** | ||||
return $this; | return $this; | ||||
} | } | ||||
/** | |||||
* Whether WebAssembly compilation is allowed or forbidden | |||||
* @param bool $state | |||||
* @return $this | |||||
* @since 28.0.0 | |||||
*/ | |||||
public function allowEvalWasm(bool $state = true) { | |||||
$this->evalWasmAllowed = $state; | |||||
return $this; | |||||
} | |||||
/** | /** | ||||
* Allows to execute JavaScript files from a specific domain. Use * to | * Allows to execute JavaScript files from a specific domain. Use * to | ||||
* allow JavaScript from all domains. | * allow JavaScript from all domains. | ||||
$policy .= "base-uri 'none';"; | $policy .= "base-uri 'none';"; | ||||
$policy .= "manifest-src 'self';"; | $policy .= "manifest-src 'self';"; | ||||
if (!empty($this->allowedScriptDomains) || $this->evalScriptAllowed) { | |||||
if (!empty($this->allowedScriptDomains) || $this->evalScriptAllowed || $this->evalWasmAllowed) { | |||||
$policy .= 'script-src '; | $policy .= 'script-src '; | ||||
if (is_string($this->useJsNonce)) { | if (is_string($this->useJsNonce)) { | ||||
if ($this->strictDynamicAllowed) { | if ($this->strictDynamicAllowed) { | ||||
if ($this->evalScriptAllowed) { | if ($this->evalScriptAllowed) { | ||||
$policy .= ' \'unsafe-eval\''; | $policy .= ' \'unsafe-eval\''; | ||||
} | } | ||||
if ($this->evalWasmAllowed) { | |||||
$policy .= ' \'wasm-unsafe-eval\''; | |||||
} | |||||
$policy .= ';'; | $policy .= ';'; | ||||
} | } | ||||
protected $inlineScriptAllowed = false; | protected $inlineScriptAllowed = false; | ||||
/** @var bool Whether eval in JS scripts is allowed */ | /** @var bool Whether eval in JS scripts is allowed */ | ||||
protected $evalScriptAllowed = false; | protected $evalScriptAllowed = false; | ||||
/** @var bool Whether WebAssembly compilation is allowed */ | |||||
protected ?bool $evalWasmAllowed = false; | |||||
/** @var array Domains from which scripts can get loaded */ | /** @var array Domains from which scripts can get loaded */ | ||||
protected $allowedScriptDomains = [ | protected $allowedScriptDomains = [ | ||||
'\'self\'', | '\'self\'', |
$this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy()); | $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy()); | ||||
} | } | ||||
public function testGetPolicyUnsafeWasmEval() { | |||||
$expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self' 'wasm-unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'"; | |||||
$this->contentSecurityPolicy->allowEvalWasm(true); | |||||
$this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy()); | |||||
} | |||||
public function testGetPolicyNonce() { | public function testGetPolicyNonce() { | ||||
$nonce = 'my-nonce'; | $nonce = 'my-nonce'; | ||||
$expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'nonce-".base64_encode($nonce) . "';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'"; | $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'nonce-".base64_encode($nonce) . "';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'"; |
$this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy()); | $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy()); | ||||
} | } | ||||
public function testGetPolicyScriptAllowWasmEval() { | |||||
$expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'wasm-unsafe-eval';frame-ancestors 'none'"; | |||||
$this->contentSecurityPolicy->allowEvalWasm(true); | |||||
$this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy()); | |||||
} | |||||
public function testGetPolicyStyleDomainValid() { | public function testGetPolicyStyleDomainValid() { | ||||
$expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';style-src www.owncloud.com;frame-ancestors 'none'"; | $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';style-src www.owncloud.com;frame-ancestors 'none'"; | ||||