diff options
| author | Lukas Reschke <lukas@owncloud.com> | 2015-02-26 12:54:15 +0100 |
|---|---|---|
| committer | Lukas Reschke <lukas@owncloud.com> | 2015-02-28 12:27:46 +0100 |
| commit | b29940d956e638b14f2012022b0ad91ebac7f8e8 (patch) | |
| tree | 02824c7f6b6df67b5bd9f6aacbb92740486439f9 | |
| parent | 42f6448da239c1b716ae514a513c4985eec48ef5 (diff) | |
| download | nextcloud-server-b29940d956e638b14f2012022b0ad91ebac7f8e8.tar.gz nextcloud-server-b29940d956e638b14f2012022b0ad91ebac7f8e8.zip | |
Add support for 'child-src' directive
This is required when working with stuff such as PDF.js in the files_pdfviewer application. Opt-in only.
Master change only because the stable CSP policies has a failback that allows nearly anything :see_no_evil:
| -rw-r--r-- | lib/public/appframework/http/contentsecuritypolicy.php | 17 | ||||
| -rw-r--r-- | tests/lib/appframework/http/ContentSecurityPolicyTest.php | 19 |
2 files changed, 34 insertions, 2 deletions
diff --git a/lib/public/appframework/http/contentsecuritypolicy.php b/lib/public/appframework/http/contentsecuritypolicy.php index cb9a241d8af..6778d1035be 100644 --- a/lib/public/appframework/http/contentsecuritypolicy.php +++ b/lib/public/appframework/http/contentsecuritypolicy.php @@ -65,6 +65,8 @@ class ContentSecurityPolicy { private $allowedFontDomains = [ '\'self\'', ]; + /** @var array Domains from which web-workers and nested browsing content can load elements */ + private $allowedChildSrcDomains = []; /** * Whether inline JavaScript snippets are allowed or forbidden @@ -181,6 +183,16 @@ class ContentSecurityPolicy { } /** + * Domains from which web-workers and nested browsing content can load elements + * @param string $domain Domain to whitelist. Any passed value needs to be properly sanitized. + * @return $this + */ + public function addAllowedChildSrcDomain($domain) { + $this->allowedChildSrcDomains[] = $domain; + return $this; + } + + /** * Get the generated Content-Security-Policy as a string * @return string */ @@ -236,6 +248,11 @@ class ContentSecurityPolicy { $policy .= ';'; } + if(!empty($this->allowedChildSrcDomains)) { + $policy .= 'child-src ' . implode(' ', $this->allowedChildSrcDomains); + $policy .= ';'; + } + return rtrim($policy, ';'); } } diff --git a/tests/lib/appframework/http/ContentSecurityPolicyTest.php b/tests/lib/appframework/http/ContentSecurityPolicyTest.php index 739028cb3b5..f79c23ae644 100644 --- a/tests/lib/appframework/http/ContentSecurityPolicyTest.php +++ b/tests/lib/appframework/http/ContentSecurityPolicyTest.php @@ -181,7 +181,6 @@ class ContentSecurityPolicyTest extends \Test\TestCase { $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy()); } - public function testGetAllowedFrameDomain() { $expectedPolicy = "default-src 'none';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self';font-src 'self';connect-src 'self';media-src 'self';frame-src www.owncloud.com"; @@ -197,8 +196,23 @@ class ContentSecurityPolicyTest extends \Test\TestCase { $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy()); } + public function testGetAllowedChildSrcDomain() { + $expectedPolicy = "default-src 'none';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self';font-src 'self';connect-src 'self';media-src 'self';child-src child.owncloud.com"; + + $this->contentSecurityPolicy->addAllowedChildSrcDomain('child.owncloud.com'); + $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy()); + } + + public function testGetPolicyChildSrcValidMultiple() { + $expectedPolicy = "default-src 'none';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self';font-src 'self';connect-src 'self';media-src 'self';child-src child.owncloud.com child.owncloud.org"; + + $this->contentSecurityPolicy->addAllowedChildSrcDomain('child.owncloud.com'); + $this->contentSecurityPolicy->addAllowedChildSrcDomain('child.owncloud.org'); + $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy()); + } + public function testConfigureStacked() { - $expectedPolicy = "default-src 'none';script-src 'self' script.owncloud.org;style-src 'self' style.owncloud.org;img-src 'self' img.owncloud.org;font-src 'self' font.owncloud.org;connect-src 'self' connect.owncloud.org;media-src 'self' media.owncloud.org;object-src objects.owncloud.org;frame-src frame.owncloud.org"; + $expectedPolicy = "default-src 'none';script-src 'self' script.owncloud.org;style-src 'self' style.owncloud.org;img-src 'self' img.owncloud.org;font-src 'self' font.owncloud.org;connect-src 'self' connect.owncloud.org;media-src 'self' media.owncloud.org;object-src objects.owncloud.org;frame-src frame.owncloud.org;child-src child.owncloud.org"; $this->contentSecurityPolicy->allowInlineStyle(false) ->allowEvalScript(false) @@ -209,6 +223,7 @@ class ContentSecurityPolicyTest extends \Test\TestCase { ->addAllowedConnectDomain('connect.owncloud.org') ->addAllowedMediaDomain('media.owncloud.org') ->addAllowedObjectDomain('objects.owncloud.org') + ->addAllowedChildSrcDomain('child.owncloud.org') ->addAllowedFrameDomain('frame.owncloud.org'); $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy()); } |