diff options
| author | Roeland Jago Douma <roeland@famdouma.nl> | 2016-09-15 11:26:24 +0200 |
|---|---|---|
| committer | Roeland Jago Douma <roeland@famdouma.nl> | 2016-09-15 13:11:36 +0200 |
| commit | 7c078a81b4d55caa9f0381d11a27cfe5e5f1c31a (patch) | |
| tree | e499f927259148b62c7327282b7bc3b1d552479b /lib/private/AppFramework | |
| parent | 4fdee00c275c3a16381301d36635b7b0f5398751 (diff) | |
| download | nextcloud-server-7c078a81b4d55caa9f0381d11a27cfe5e5f1c31a.tar.gz nextcloud-server-7c078a81b4d55caa9f0381d11a27cfe5e5f1c31a.zip | |
Add trict CSP to OCS responses
If a repsonse now explicitly has the Empty CSP set then the middleware
won't touch it.
Diffstat (limited to 'lib/private/AppFramework')
| -rw-r--r-- | lib/private/AppFramework/Middleware/Security/SecurityMiddleware.php | 5 | ||||
| -rw-r--r-- | lib/private/AppFramework/OCS/BaseResponse.php | 3 |
2 files changed, 7 insertions, 1 deletions
diff --git a/lib/private/AppFramework/Middleware/Security/SecurityMiddleware.php b/lib/private/AppFramework/Middleware/Security/SecurityMiddleware.php index 3bfef2df025..5e253d0954a 100644 --- a/lib/private/AppFramework/Middleware/Security/SecurityMiddleware.php +++ b/lib/private/AppFramework/Middleware/Security/SecurityMiddleware.php @@ -37,6 +37,7 @@ use OC\AppFramework\Middleware\Security\Exceptions\StrictCookieMissingException; use OC\AppFramework\Utility\ControllerMethodReflector; use OC\Security\CSP\ContentSecurityPolicyManager; use OCP\AppFramework\Http\ContentSecurityPolicy; +use OCP\AppFramework\Http\EmptyContentSecurityPolicy; use OCP\AppFramework\Http\RedirectResponse; use OCP\AppFramework\Http\TemplateResponse; use OCP\AppFramework\Middleware; @@ -182,6 +183,10 @@ class SecurityMiddleware extends Middleware { public function afterController($controller, $methodName, Response $response) { $policy = !is_null($response->getContentSecurityPolicy()) ? $response->getContentSecurityPolicy() : new ContentSecurityPolicy(); + if (get_class($policy) === EmptyContentSecurityPolicy::class) { + return $response; + } + $defaultPolicy = $this->contentSecurityPolicyManager->getDefaultPolicy(); $defaultPolicy = $this->contentSecurityPolicyManager->mergePolicies($defaultPolicy, $policy); diff --git a/lib/private/AppFramework/OCS/BaseResponse.php b/lib/private/AppFramework/OCS/BaseResponse.php index fa22498ac0f..59b8660a382 100644 --- a/lib/private/AppFramework/OCS/BaseResponse.php +++ b/lib/private/AppFramework/OCS/BaseResponse.php @@ -23,6 +23,7 @@ namespace OC\AppFramework\OCS; use OCP\AppFramework\Http\DataResponse; +use OCP\AppFramework\Http\EmptyContentSecurityPolicy; use OCP\AppFramework\Http\Response; abstract class BaseResponse extends Response { @@ -67,7 +68,7 @@ abstract class BaseResponse extends Response { $this->setETag($dataResponse->getETag()); $this->setLastModified($dataResponse->getLastModified()); $this->setCookies($dataResponse->getCookies()); - $this->setContentSecurityPolicy($dataResponse->getContentSecurityPolicy()); + $this->setContentSecurityPolicy(new EmptyContentSecurityPolicy()); if ($format === 'json') { $this->addHeader( |