diff options
| author | Simon L <szaimen@e.mail.de> | 2023-06-12 14:20:11 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2023-06-12 14:20:11 +0200 |
| commit | 63bf207ca7a18dd50ce3aeaea42e53f4ee400fc0 (patch) | |
| tree | 5c1eca4967217723afb43485d9bf0e04139ed377 | |
| parent | 83faba5e613b4ac8d7fce091e5b545a7a30b1640 (diff) | |
| parent | 08a3f3769581dc148c8f86c6fa0997905a6b3a10 (diff) | |
| download | nextcloud-server-63bf207ca7a18dd50ce3aeaea42e53f4ee400fc0.tar.gz nextcloud-server-63bf207ca7a18dd50ce3aeaea42e53f4ee400fc0.zip | |
Merge pull request #38642 from nextcloud/chore/appframework/drop-emptycontentsecuritypolicy-allowinlinescript
chore(appframework)!: Drop \OCP\AppFramework\Http\EmptyContentSecurityPolicy::allowInlineScript
5 files changed, 6 insertions, 61 deletions
diff --git a/lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php b/lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php index 98a42aeabb5..035b4f01f60 100644 --- a/lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php +++ b/lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php @@ -37,8 +37,6 @@ namespace OCP\AppFramework\Http; * @since 9.0.0 */ class EmptyContentSecurityPolicy { - /** @var bool Whether inline JS snippets are allowed */ - protected $inlineScriptAllowed = null; /** @var string Whether JS nonces should be used */ protected $useJsNonce = null; /** @var bool Whether strict-dynamic should be used */ @@ -84,18 +82,6 @@ class EmptyContentSecurityPolicy { protected $reportTo = null; /** - * Whether inline JavaScript snippets are allowed or forbidden - * @param bool $state - * @return $this - * @since 8.1.0 - * @deprecated 10.0 CSP tokens are now used - */ - public function allowInlineScript($state = false) { - $this->inlineScriptAllowed = $state; - return $this; - } - - /** * @param bool $state * @return EmptyContentSecurityPolicy * @since 24.0.0 @@ -447,7 +433,7 @@ class EmptyContentSecurityPolicy { $policy .= "base-uri 'none';"; $policy .= "manifest-src 'self';"; - if (!empty($this->allowedScriptDomains) || $this->inlineScriptAllowed || $this->evalScriptAllowed) { + if (!empty($this->allowedScriptDomains) || $this->evalScriptAllowed) { $policy .= 'script-src '; if (is_string($this->useJsNonce)) { if ($this->strictDynamicAllowed) { @@ -464,9 +450,6 @@ class EmptyContentSecurityPolicy { if (is_array($this->allowedScriptDomains)) { $policy .= implode(' ', $this->allowedScriptDomains); } - if ($this->inlineScriptAllowed) { - $policy .= ' \'unsafe-inline\''; - } if ($this->evalScriptAllowed) { $policy .= ' \'unsafe-eval\''; } diff --git a/tests/lib/AppFramework/Http/ContentSecurityPolicyTest.php b/tests/lib/AppFramework/Http/ContentSecurityPolicyTest.php index 5c3f3ead5b0..53632da93d1 100644 --- a/tests/lib/AppFramework/Http/ContentSecurityPolicyTest.php +++ b/tests/lib/AppFramework/Http/ContentSecurityPolicyTest.php @@ -68,25 +68,9 @@ class ContentSecurityPolicyTest extends \Test\TestCase { $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy()); } - public function testGetPolicyScriptAllowInline() { - $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self' 'unsafe-inline';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'"; - - $this->contentSecurityPolicy->allowInlineScript(true); - $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy()); - } - - public function testGetPolicyScriptAllowInlineWithDomain() { - $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self' www.owncloud.com 'unsafe-inline';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'"; - - $this->contentSecurityPolicy->addAllowedScriptDomain('www.owncloud.com'); - $this->contentSecurityPolicy->allowInlineScript(true); - $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy()); - } - - public function testGetPolicyScriptDisallowInlineAndEval() { + public function testGetPolicyScriptDisallowEval() { $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'"; - $this->contentSecurityPolicy->allowInlineScript(false); $this->contentSecurityPolicy->allowEvalScript(false); $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy()); } diff --git a/tests/lib/AppFramework/Http/EmptyContentSecurityPolicyTest.php b/tests/lib/AppFramework/Http/EmptyContentSecurityPolicyTest.php index 68e54886527..dc10d095ab5 100644 --- a/tests/lib/AppFramework/Http/EmptyContentSecurityPolicyTest.php +++ b/tests/lib/AppFramework/Http/EmptyContentSecurityPolicyTest.php @@ -68,25 +68,9 @@ class EmptyContentSecurityPolicyTest extends \Test\TestCase { $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy()); } - public function testGetPolicyScriptAllowInline() { - $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'unsafe-inline';frame-ancestors 'none'"; + public function testGetPolicyScriptAllowEval() { + $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'unsafe-eval';frame-ancestors 'none'"; - $this->contentSecurityPolicy->allowInlineScript(true); - $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy()); - } - - public function testGetPolicyScriptAllowInlineWithDomain() { - $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src www.owncloud.com 'unsafe-inline';frame-ancestors 'none'"; - - $this->contentSecurityPolicy->addAllowedScriptDomain('www.owncloud.com'); - $this->contentSecurityPolicy->allowInlineScript(true); - $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy()); - } - - public function testGetPolicyScriptAllowInlineAndEval() { - $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'unsafe-inline' 'unsafe-eval';frame-ancestors 'none'"; - - $this->contentSecurityPolicy->allowInlineScript(true); $this->contentSecurityPolicy->allowEvalScript(true); $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy()); } diff --git a/tests/lib/AppFramework/Http/ResponseTest.php b/tests/lib/AppFramework/Http/ResponseTest.php index 6473a5bf55f..dac4606124a 100644 --- a/tests/lib/AppFramework/Http/ResponseTest.php +++ b/tests/lib/AppFramework/Http/ResponseTest.php @@ -67,7 +67,6 @@ class ResponseTest extends \Test\TestCase { 'Content-Security-Policy' => "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self' 'unsafe-inline';style-src 'self' 'unsafe-inline';img-src 'self';font-src 'self' data:;connect-src 'self';media-src 'self'", ]; $policy = new Http\ContentSecurityPolicy(); - $policy->allowInlineScript(true); $this->childResponse->setContentSecurityPolicy($policy); $headers = $this->childResponse->getHeaders(); @@ -77,7 +76,6 @@ class ResponseTest extends \Test\TestCase { public function testGetCsp() { $policy = new Http\ContentSecurityPolicy(); - $policy->allowInlineScript(true); $this->childResponse->setContentSecurityPolicy($policy); $this->assertEquals($policy, $this->childResponse->getContentSecurityPolicy()); diff --git a/tests/lib/Security/CSP/ContentSecurityPolicyManagerTest.php b/tests/lib/Security/CSP/ContentSecurityPolicyManagerTest.php index 082ef46330d..05d6ede640d 100644 --- a/tests/lib/Security/CSP/ContentSecurityPolicyManagerTest.php +++ b/tests/lib/Security/CSP/ContentSecurityPolicyManagerTest.php @@ -56,7 +56,6 @@ class ContentSecurityPolicyManagerTest extends TestCase { $policy = new \OCP\AppFramework\Http\ContentSecurityPolicy(); $policy->addAllowedFontDomain('example.com'); $policy->addAllowedImageDomain('example.org'); - $policy->allowInlineScript(true); $policy->allowEvalScript(true); $this->contentSecurityPolicyManager->addDefaultPolicy($policy); $policy = new \OCP\AppFramework\Http\EmptyContentSecurityPolicy(); @@ -66,7 +65,6 @@ class ContentSecurityPolicyManagerTest extends TestCase { $this->contentSecurityPolicyManager->addDefaultPolicy($policy); $expected = new \OC\Security\CSP\ContentSecurityPolicy(); - $expected->allowInlineScript(true); $expected->allowEvalScript(true); $expected->addAllowedFontDomain('mydomain.com'); $expected->addAllowedFontDomain('example.com'); @@ -75,7 +73,7 @@ class ContentSecurityPolicyManagerTest extends TestCase { $expected->addAllowedImageDomain('anotherdomain.de'); $expected->addAllowedImageDomain('example.org'); $expected->addAllowedChildSrcDomain('childdomain'); - $expectedStringPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self' 'unsafe-inline' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob: anotherdomain.de example.org;font-src 'self' data: mydomain.com example.com anotherFontDomain;connect-src 'self';media-src 'self';child-src childdomain;frame-ancestors 'self';form-action 'self' thirdDomain"; + $expectedStringPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob: anotherdomain.de example.org;font-src 'self' data: mydomain.com example.com anotherFontDomain;connect-src 'self';media-src 'self';child-src childdomain;frame-ancestors 'self';form-action 'self' thirdDomain"; $this->assertEquals($expected, $this->contentSecurityPolicyManager->getDefaultPolicy()); $this->assertSame($expectedStringPolicy, $this->contentSecurityPolicyManager->getDefaultPolicy()->buildPolicy()); @@ -96,7 +94,6 @@ class ContentSecurityPolicyManagerTest extends TestCase { $policy = new \OCP\AppFramework\Http\ContentSecurityPolicy(); $policy->addAllowedFontDomain('example.com'); $policy->addAllowedImageDomain('example.org'); - $policy->allowInlineScript(true); $policy->allowEvalScript(false); $e->addPolicy($policy); }); @@ -110,7 +107,6 @@ class ContentSecurityPolicyManagerTest extends TestCase { }); $expected = new \OC\Security\CSP\ContentSecurityPolicy(); - $expected->allowInlineScript(true); $expected->allowEvalScript(true); $expected->addAllowedFontDomain('mydomain.com'); $expected->addAllowedFontDomain('example.com'); @@ -120,7 +116,7 @@ class ContentSecurityPolicyManagerTest extends TestCase { $expected->addAllowedChildSrcDomain('childdomain'); $expected->addAllowedFormActionDomain('thirdDomain'); $expected->useStrictDynamic(true); - $expectedStringPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self' 'unsafe-inline' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob: anotherdomain.de example.org;font-src 'self' data: mydomain.com example.com anotherFontDomain;connect-src 'self';media-src 'self';child-src childdomain;frame-ancestors 'self';form-action 'self' thirdDomain"; + $expectedStringPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob: anotherdomain.de example.org;font-src 'self' data: mydomain.com example.com anotherFontDomain;connect-src 'self';media-src 'self';child-src childdomain;frame-ancestors 'self';form-action 'self' thirdDomain"; $this->assertEquals($expected, $this->contentSecurityPolicyManager->getDefaultPolicy()); $this->assertSame($expectedStringPolicy, $this->contentSecurityPolicyManager->getDefaultPolicy()->buildPolicy()); |