diff options
| author | Roeland Jago Douma <roeland@famdouma.nl> | 2018-09-03 16:47:52 +0200 |
|---|---|---|
| committer | Roeland Jago Douma <roeland@famdouma.nl> | 2018-09-04 07:35:44 +0200 |
| commit | c8fe4b4fc864ca025610621903f30e97486dbd43 (patch) | |
| tree | 75f0b2a5f54ddce20adc7725b8808088220774c6 | |
| parent | 12a2a754e2ff7a31d75cef94f981e1eb069bb2f5 (diff) | |
| download | nextcloud-server-c8fe4b4fc864ca025610621903f30e97486dbd43.tar.gz nextcloud-server-c8fe4b4fc864ca025610621903f30e97486dbd43.zip | |
Add workerSrc to CSP
Fixes #11035
Since the child-src directive is deprecated (we should kill it at some
point) we need to have the proper worker-src available
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
| -rw-r--r-- | lib/private/Security/CSP/ContentSecurityPolicy.php | 8 | ||||
| -rw-r--r-- | lib/public/AppFramework/Http/ContentSecurityPolicy.php | 3 | ||||
| -rw-r--r-- | lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php | 31 |
3 files changed, 42 insertions, 0 deletions
diff --git a/lib/private/Security/CSP/ContentSecurityPolicy.php b/lib/private/Security/CSP/ContentSecurityPolicy.php index 77e20dedf44..de62b5ee76a 100644 --- a/lib/private/Security/CSP/ContentSecurityPolicy.php +++ b/lib/private/Security/CSP/ContentSecurityPolicy.php @@ -213,4 +213,12 @@ class ContentSecurityPolicy extends \OCP\AppFramework\Http\ContentSecurityPolicy $this->allowedFrameAncestors = $allowedFrameAncestors; } + public function getAllowedWorkerSrcDomains(): array { + return $this->allowedWorkerSrcDomains; + } + + public function setAllowedWorkerSrcDomains(array $allowedWorkerSrcDomains) { + $this->allowedWorkerSrcDomains = $allowedWorkerSrcDomains; + } + } diff --git a/lib/public/AppFramework/Http/ContentSecurityPolicy.php b/lib/public/AppFramework/Http/ContentSecurityPolicy.php index c705955bb8a..3445e8f8802 100644 --- a/lib/public/AppFramework/Http/ContentSecurityPolicy.php +++ b/lib/public/AppFramework/Http/ContentSecurityPolicy.php @@ -91,4 +91,7 @@ class ContentSecurityPolicy extends EmptyContentSecurityPolicy { /** @var array Domains which can embed this Nextcloud instance */ protected $allowedFrameAncestors = []; + + /** @var array Domains from which web-workers can be loaded */ + protected $allowedWorkerSrcDomains = []; } diff --git a/lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php b/lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php index 6397d32cb9c..6784f5723bf 100644 --- a/lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php +++ b/lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php @@ -73,6 +73,8 @@ class EmptyContentSecurityPolicy { protected $allowedChildSrcDomains = null; /** @var array Domains which can embed this Nextcloud instance */ protected $allowedFrameAncestors = null; + /** @var array Domains from which web-workers can be loaded */ + protected $allowedWorkerSrcDomains = null; /** * Whether inline JavaScript snippets are allowed or forbidden @@ -356,6 +358,30 @@ class EmptyContentSecurityPolicy { } /** + * Domain from which workers can be loaded + * + * @param string $domain + * @return $this + * @since 15.0.0 + */ + public function addAllowedWorkerSrcDomain(string $domain) { + $this->allowedWorkerSrcDomains[] = $domain; + return $this; + } + + /** + * Remove domain from which workers can be loaded + * + * @param string $domain + * @return $this + * @since 15.0.0 + */ + public function disallowWorkerSrcDomain(string $domain) { + $this->allowedWorkerSrcDomains = array_diff($this->allowedWorkerSrcDomains, [$domain]); + return $this; + } + + /** * Get the generated Content-Security-Policy as a string * @return string * @since 8.1.0 @@ -439,6 +465,11 @@ class EmptyContentSecurityPolicy { $policy .= ';'; } + if (!empty($this->allowedWorkerSrcDomains)) { + $policy .= 'worker-src ' . implode(' ', $this->allowedWorkerSrcDomains); + $policy .= ';'; + } + return rtrim($policy, ';'); } } |