summaryrefslogtreecommitdiffstats
path: root/lib/public/AppFramework/Http
diff options
context:
space:
mode:
authorRoeland Jago Douma <roeland@famdouma.nl>2018-10-16 14:04:22 +0200
committerRoeland Jago Douma <roeland@famdouma.nl>2018-10-21 13:38:32 +0200
commit579822b6a5639ee608e11ed23760d481a4a78f4b (patch)
tree59129f958c51b19bfd2fea5d50107cf1f37feda8 /lib/public/AppFramework/Http
parentf544c9fec9e24f7216aafdada680378044ddaf61 (diff)
downloadnextcloud-server-579822b6a5639ee608e11ed23760d481a4a78f4b.tar.gz
nextcloud-server-579822b6a5639ee608e11ed23760d481a4a78f4b.zip
Add report-uri to CSP
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
Diffstat (limited to 'lib/public/AppFramework/Http')
-rw-r--r--lib/public/AppFramework/Http/ContentSecurityPolicy.php3
-rw-r--r--lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php20
2 files changed, 23 insertions, 0 deletions
diff --git a/lib/public/AppFramework/Http/ContentSecurityPolicy.php b/lib/public/AppFramework/Http/ContentSecurityPolicy.php
index 02a52c6c49d..597069fdaaf 100644
--- a/lib/public/AppFramework/Http/ContentSecurityPolicy.php
+++ b/lib/public/AppFramework/Http/ContentSecurityPolicy.php
@@ -90,4 +90,7 @@ class ContentSecurityPolicy extends EmptyContentSecurityPolicy {
/** @var array Domains from which web-workers can be loaded */
protected $allowedWorkerSrcDomains = [];
+
+ /** @var array Locations to report violations to */
+ protected $reportTo = [];
}
diff --git a/lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php b/lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php
index ddc7918d094..3fcef1d0efd 100644
--- a/lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php
+++ b/lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php
@@ -76,6 +76,9 @@ class EmptyContentSecurityPolicy {
/** @var array Domains from which web-workers can be loaded */
protected $allowedWorkerSrcDomains = null;
+ /** @var array Locations to report violations to */
+ protected $reportTo = null;
+
/**
* Whether inline JavaScript snippets are allowed or forbidden
* @param bool $state
@@ -384,6 +387,18 @@ class EmptyContentSecurityPolicy {
}
/**
+ * Add location to report CSP violations to
+ *
+ * @param string $location
+ * @return $this
+ * @since 15.0.0
+ */
+ public function addReportTo(string $location) {
+ $this->reportTo[] = $location;
+ return $this;
+ }
+
+ /**
* Get the generated Content-Security-Policy as a string
* @return string
* @since 8.1.0
@@ -472,6 +487,11 @@ class EmptyContentSecurityPolicy {
$policy .= ';';
}
+ if (!empty($this->reportTo)) {
+ $policy .= 'report-uri ' . implode(' ', $this->reportTo);
+ $policy .= ';';
+ }
+
return rtrim($policy, ';');
}
}