diff options
| author | Robin Appelman <icewind@owncloud.com> | 2014-04-23 12:26:59 +0200 |
|---|---|---|
| committer | Robin Appelman <icewind@owncloud.com> | 2014-04-23 12:26:59 +0200 |
| commit | f48b0d9681977434c6a14c5dd0bd37b23f6ca3a8 (patch) | |
| tree | c3775d3fa0ef0e3f275639e6dcb4aef19f67f0b8 | |
| parent | 29b792779c4797cd59d967c33b9bbb8b683620c0 (diff) | |
| download | nextcloud-server-f48b0d9681977434c6a14c5dd0bd37b23f6ca3a8.tar.gz nextcloud-server-f48b0d9681977434c6a14c5dd0bd37b23f6ca3a8.zip | |
Backport of #8183 to stable6
| -rw-r--r-- | lib/base.php | 29 | ||||
| -rw-r--r-- | lib/json.php | 2 | ||||
| -rw-r--r-- | lib/template.php | 22 |
3 files changed, 29 insertions, 24 deletions
diff --git a/lib/base.php b/lib/base.php index 3c3c13c8c47..a17cf19099b 100644 --- a/lib/base.php +++ b/lib/base.php @@ -245,6 +245,34 @@ class OC { } } + /* + * This function adds some security related headers to all requests served via base.php + * The implementation of this function has to happen here to ensure that all third-party + * components (e.g. SabreDAV) also benefit from this headers. + */ + public static function addSecurityHeaders() { + header('X-XSS-Protection: 1; mode=block'); // Enforce browser based XSS filters + header('X-Content-Type-Options: nosniff'); // Disable sniffing the content type for IE + + // iFrame Restriction Policy + $xFramePolicy = OC_Config::getValue('xframe_restriction', true); + if ($xFramePolicy) { + header('X-Frame-Options: Sameorigin'); // Disallow iFraming from other domains + } + + // Content Security Policy + // If you change the standard policy, please also change it in config.sample.php + $policy = OC_Config::getValue('custom_csp_policy', + 'default-src \'self\'; ' + . 'script-src \'self\' \'unsafe-eval\'; ' + . 'style-src \'self\' \'unsafe-inline\'; ' + . 'frame-src *; ' + . 'img-src *; ' + . 'font-src \'self\' data:; ' + . 'media-src *'); + header('Content-Security-Policy:' . $policy); + } + public static function checkSSL() { // redirect to https site if configured if (OC_Config::getValue("forcessl", false)) { @@ -479,6 +507,7 @@ class OC { self::checkConfig(); self::checkInstalled(); self::checkSSL(); + self::addSecurityHeaders(); self::initSession(); $errors = OC_Util::checkServer(); diff --git a/lib/json.php b/lib/json.php index f929e958957..5e2c7620648 100644 --- a/lib/json.php +++ b/lib/json.php @@ -104,8 +104,6 @@ class OC_JSON{ * Encode and print $data in json format */ public static function encodedPrint($data, $setContentType=true) { - // Disable mimesniffing, don't move this to setContentTypeHeader! - header( 'X-Content-Type-Options: nosniff' ); if($setContentType) { self::setContentTypeHeader(); } diff --git a/lib/template.php b/lib/template.php index 2f535335648..199e0f6e492 100644 --- a/lib/template.php +++ b/lib/template.php @@ -185,28 +185,6 @@ class OC_Template{ $parts = explode('/', $app); // fix translation when app is something like core/lostpassword $this->l10n = OC_L10N::get($parts[0]); - // Some headers to enhance security - header('X-XSS-Protection: 1; mode=block'); // Enforce browser based XSS filters - header('X-Content-Type-Options: nosniff'); // Disable sniffing the content type for IE - - // iFrame Restriction Policy - $xFramePolicy = OC_Config::getValue('xframe_restriction', true); - if($xFramePolicy) { - header('X-Frame-Options: Sameorigin'); // Disallow iFraming from other domains - } - - // Content Security Policy - // If you change the standard policy, please also change it in config.sample.php - $policy = OC_Config::getValue('custom_csp_policy', - 'default-src \'self\'; ' - .'script-src \'self\' \'unsafe-eval\'; ' - .'style-src \'self\' \'unsafe-inline\'; ' - .'frame-src *; ' - .'img-src *; ' - .'font-src \'self\' data:; ' - .'media-src *'); - header('Content-Security-Policy:'.$policy); // Standard - $this->findTemplate($name); } |