Add public API to give developers the possibility to adjust the global CSP defaults

Allows to inject something into the default content policy. This is for example useful when you're injecting Javascript code into a view belonging to another controller and cannot modify its Content-Security-Policy itself. Note that the adjustment is only applied to applications that use AppFramework controllers. To use this from your `app.php` use `\OC::$server->getContentSecurityPolicyManager()->addDefaultPolicy($policy)`, $policy has to be of type `\OCP\AppFramework\Http\ContentSecurityPolicy`. To test this add something like the following into an `app.php` of any enabled app: ``` $manager = \OC::$server->getContentSecurityPolicyManager(); $policy = new \OCP\AppFramework\Http\ContentSecurityPolicy(false); $policy->addAllowedFrameDomain('asdf'); $policy->addAllowedScriptDomain('yolo.com'); $policy->allowInlineScript(false); $manager->addDefaultPolicy($policy); $policy = new \OCP\AppFramework\Http\ContentSecurityPolicy(false); $policy->addAllowedFontDomain('yolo.com'); $manager->addDefaultPolicy($policy); $policy = new \OCP\AppFramework\Http\ContentSecurityPolicy(false); $policy->addAllowedFrameDomain('banana.com'); $manager->addDefaultPolicy($policy); ``` If you now open the files app the policy should be: ``` Content-Security-Policy:default-src 'none';script-src yolo.com 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src yolo.com 'self';connect-src 'self';media-src 'self';frame-src asdf banana.com 'self' ```
author: Lukas Reschke <lukas@owncloud.com> 2016-01-28 14:33:02 +0100
committer: Lukas Reschke <lukas@owncloud.com> 2016-01-28 18:36:46 +0100
commit: 809ff5ac95080b02d1ba4bba76efab59ff70122b (patch)
tree: e0049e209a157acab5150daac19a77ac01fdf8f0 /lib/private/appframework
parent: 8b3d7d09d52ba169953d6a7d03ab570eb3ceed7a (diff)
download: nextcloud-server-809ff5ac95080b02d1ba4bba76efab59ff70122b.tar.gz
nextcloud-server-809ff5ac95080b02d1ba4bba76efab59ff70122b.zip
2 files changed, 41 insertions, 6 deletions
diff --git a/lib/private/appframework/dependencyinjection/dicontainer.php b/lib/private/appframework/dependencyinjection/dicontainer.php
index 61a04482431..ff9da88cd81 100644
--- a/lib/private/appframework/dependencyinjection/dicontainer.php
+++ b/lib/private/appframework/dependencyinjection/dicontainer.php
@@ -32,7 +32,6 @@ namespace OC\AppFramework\DependencyInjection;
 
 use OC;
 use OC\AppFramework\Http;
-use OC\AppFramework\Http\Request;
 use OC\AppFramework\Http\Dispatcher;
 use OC\AppFramework\Http\Output;
 use OC\AppFramework\Core\API;
@@ -43,8 +42,6 @@ use OC\AppFramework\Middleware\SessionMiddleware;
 use OC\AppFramework\Utility\SimpleContainer;
 use OCP\AppFramework\IApi;
 use OCP\AppFramework\IAppContainer;
-use OCP\AppFramework\Middleware;
-use OCP\IServerContainer;
 
 
 class DIContainer extends SimpleContainer implements IAppContainer {
@@ -255,6 +252,10 @@ class DIContainer extends SimpleContainer implements IAppContainer {
 			return $this->getServer()->getSession();
 		});
 
+		$this->registerService('OCP\\Security\\IContentSecurityPolicyManager', function($c) {
+			return $this->getServer()->getContentSecurityPolicyManager();
+		});
+
 		$this->registerService('ServerContainer', function ($c) {
 			return $this->getServer();
 		});
@@ -319,7 +320,8 @@ class DIContainer extends SimpleContainer implements IAppContainer {
 				$app->getServer()->getLogger(),
 				$c['AppName'],
 				$app->isLoggedIn(),
-				$app->isAdminUser()
+				$app->isAdminUser(),
+				$app->getServer()->getContentSecurityPolicyManager()
 			);
 		});
 
diff --git a/lib/private/appframework/middleware/security/securitymiddleware.php b/lib/private/appframework/middleware/security/securitymiddleware.php
index 4ef043ad50f..f1ba98254f0 100644
--- a/lib/private/appframework/middleware/security/securitymiddleware.php
+++ b/lib/private/appframework/middleware/security/securitymiddleware.php
@@ -32,6 +32,8 @@ use OC\Appframework\Middleware\Security\Exceptions\CrossSiteRequestForgeryExcept
 use OC\Appframework\Middleware\Security\Exceptions\NotAdminException;
 use OC\Appframework\Middleware\Security\Exceptions\NotLoggedInException;
 use OC\AppFramework\Utility\ControllerMethodReflector;
+use OC\Security\CSP\ContentSecurityPolicyManager;
+use OCP\AppFramework\Http\ContentSecurityPolicy;
 use OCP\AppFramework\Http\RedirectResponse;
 use OCP\AppFramework\Http\TemplateResponse;
 use OCP\AppFramework\Middleware;
@@ -52,15 +54,24 @@ use OC\AppFramework\Middleware\Security\Exceptions\SecurityException;
  * check fails
  */
 class SecurityMiddleware extends Middleware {
-
+	/** @var INavigationManager */
 	private $navigationManager;
+	/** @var IRequest */
 	private $request;
+	/** @var ControllerMethodReflector */
 	private $reflector;
+	/** @var string */
 	private $appName;
+	/** @var IURLGenerator */
 	private $urlGenerator;
+	/** @var ILogger */
 	private $logger;
+	/** @var bool */
 	private $isLoggedIn;
+	/** @var bool */
 	private $isAdminUser;
+	/** @var ContentSecurityPolicyManager */
+	private $contentSecurityPolicyManager;
 
 	/**
 	 * @param IRequest $request
@@ -71,6 +82,7 @@ class SecurityMiddleware extends Middleware {
 	 * @param string $appName
 	 * @param bool $isLoggedIn
 	 * @param bool $isAdminUser
+	 * @param ContentSecurityPolicyManager $contentSecurityPolicyManager
 	 */
 	public function __construct(IRequest $request,
 								ControllerMethodReflector $reflector,
@@ -79,7 +91,8 @@ class SecurityMiddleware extends Middleware {
 								ILogger $logger,
 								$appName,
 								$isLoggedIn,
-								$isAdminUser) {
+								$isAdminUser,
+								ContentSecurityPolicyManager $contentSecurityPolicyManager) {
 		$this->navigationManager = $navigationManager;
 		$this->request = $request;
 		$this->reflector = $reflector;
@@ -88,6 +101,7 @@ class SecurityMiddleware extends Middleware {
 		$this->logger = $logger;
 		$this->isLoggedIn = $isLoggedIn;
 		$this->isAdminUser = $isAdminUser;
+		$this->contentSecurityPolicyManager = $contentSecurityPolicyManager;
 	}
 
 
@@ -139,6 +153,25 @@ class SecurityMiddleware extends Middleware {
 
 	}
 
+	/**
+	 * Performs the default CSP modifications that may be injected by other
+	 * applications
+	 *
+	 * @param Controller $controller
+	 * @param string $methodName
+	 * @param Response $response
+	 * @return Response
+	 */
+	public function afterController($controller, $methodName, Response $response) {
+		$policy = !is_null($response->getContentSecurityPolicy()) ? $response->getContentSecurityPolicy() : new ContentSecurityPolicy();
+
+		$defaultPolicy = $this->contentSecurityPolicyManager->getDefaultPolicy();
+		$defaultPolicy = $this->contentSecurityPolicyManager->mergePolicies($defaultPolicy, $policy);
+
+		$response->setContentSecurityPolicy($defaultPolicy);
+
+		return $response;
+	}
 
 	/**
 	 * If an SecurityException is being caught, ajax requests return a JSON error
author	Lukas Reschke <lukas@owncloud.com>	2016-01-28 14:33:02 +0100
committer	Lukas Reschke <lukas@owncloud.com>	2016-01-28 18:36:46 +0100
commit	809ff5ac95080b02d1ba4bba76efab59ff70122b (patch)
tree	e0049e209a157acab5150daac19a77ac01fdf8f0 /lib/private/appframework
parent	8b3d7d09d52ba169953d6a7d03ab570eb3ceed7a (diff)
download	nextcloud-server-809ff5ac95080b02d1ba4bba76efab59ff70122b.tar.gz nextcloud-server-809ff5ac95080b02d1ba4bba76efab59ff70122b.zip