diff options
author | Roeland Jago Douma <roeland@famdouma.nl> | 2018-10-16 14:04:22 +0200 |
---|---|---|
committer | Roeland Jago Douma <roeland@famdouma.nl> | 2018-10-21 13:38:32 +0200 |
commit | 579822b6a5639ee608e11ed23760d481a4a78f4b (patch) | |
tree | 59129f958c51b19bfd2fea5d50107cf1f37feda8 /lib/public/AppFramework/Http | |
parent | f544c9fec9e24f7216aafdada680378044ddaf61 (diff) | |
download | nextcloud-server-579822b6a5639ee608e11ed23760d481a4a78f4b.tar.gz nextcloud-server-579822b6a5639ee608e11ed23760d481a4a78f4b.zip |
Add report-uri to CSP
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
Diffstat (limited to 'lib/public/AppFramework/Http')
-rw-r--r-- | lib/public/AppFramework/Http/ContentSecurityPolicy.php | 3 | ||||
-rw-r--r-- | lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php | 20 |
2 files changed, 23 insertions, 0 deletions
diff --git a/lib/public/AppFramework/Http/ContentSecurityPolicy.php b/lib/public/AppFramework/Http/ContentSecurityPolicy.php index 02a52c6c49d..597069fdaaf 100644 --- a/lib/public/AppFramework/Http/ContentSecurityPolicy.php +++ b/lib/public/AppFramework/Http/ContentSecurityPolicy.php @@ -90,4 +90,7 @@ class ContentSecurityPolicy extends EmptyContentSecurityPolicy { /** @var array Domains from which web-workers can be loaded */ protected $allowedWorkerSrcDomains = []; + + /** @var array Locations to report violations to */ + protected $reportTo = []; } diff --git a/lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php b/lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php index ddc7918d094..3fcef1d0efd 100644 --- a/lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php +++ b/lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php @@ -76,6 +76,9 @@ class EmptyContentSecurityPolicy { /** @var array Domains from which web-workers can be loaded */ protected $allowedWorkerSrcDomains = null; + /** @var array Locations to report violations to */ + protected $reportTo = null; + /** * Whether inline JavaScript snippets are allowed or forbidden * @param bool $state @@ -384,6 +387,18 @@ class EmptyContentSecurityPolicy { } /** + * Add location to report CSP violations to + * + * @param string $location + * @return $this + * @since 15.0.0 + */ + public function addReportTo(string $location) { + $this->reportTo[] = $location; + return $this; + } + + /** * Get the generated Content-Security-Policy as a string * @return string * @since 8.1.0 @@ -472,6 +487,11 @@ class EmptyContentSecurityPolicy { $policy .= ';'; } + if (!empty($this->reportTo)) { + $policy .= 'report-uri ' . implode(' ', $this->reportTo); + $policy .= ';'; + } + return rtrim($policy, ';'); } } |