diff options
| author | Roeland Jago Douma <roeland@famdouma.nl> | 2019-07-30 23:13:46 +0200 |
|---|---|---|
| committer | Roeland Jago Douma <roeland@famdouma.nl> | 2019-07-31 15:16:10 +0200 |
| commit | f94ee725073d22302740800b252f9e70675ae46f (patch) | |
| tree | 9dc5a1ee47eab19ecf670eafc8cbca02ffd67faf /lib/public/AppFramework | |
| parent | f1066fd769cd1e07d1aa67fb620d390d67de2bd9 (diff) | |
| download | nextcloud-server-f94ee725073d22302740800b252f9e70675ae46f.tar.gz nextcloud-server-f94ee725073d22302740800b252f9e70675ae46f.zip | |
Add form-action CSP element
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
Diffstat (limited to 'lib/public/AppFramework')
| -rw-r--r-- | lib/public/AppFramework/Http/ContentSecurityPolicy.php | 5 | ||||
| -rw-r--r-- | lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php | 30 |
2 files changed, 35 insertions, 0 deletions
diff --git a/lib/public/AppFramework/Http/ContentSecurityPolicy.php b/lib/public/AppFramework/Http/ContentSecurityPolicy.php index c12fbc7561e..0bb776a08e6 100644 --- a/lib/public/AppFramework/Http/ContentSecurityPolicy.php +++ b/lib/public/AppFramework/Http/ContentSecurityPolicy.php @@ -93,6 +93,11 @@ class ContentSecurityPolicy extends EmptyContentSecurityPolicy { /** @var array Domains from which web-workers can be loaded */ protected $allowedWorkerSrcDomains = []; + /** @var array Domains which can be used as target for forms */ + protected $allowedFormActionDomains = [ + '\'self\'', + ]; + /** @var array Locations to report violations to */ protected $reportTo = []; } diff --git a/lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php b/lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php index 0a77e27d8c0..de892aacf26 100644 --- a/lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php +++ b/lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php @@ -75,6 +75,8 @@ class EmptyContentSecurityPolicy { protected $allowedFrameAncestors = null; /** @var array Domains from which web-workers can be loaded */ protected $allowedWorkerSrcDomains = null; + /** @var array Domains which can be used as target for forms */ + protected $allowedFormActionDomains = null; /** @var array Locations to report violations to */ protected $reportTo = null; @@ -387,6 +389,29 @@ class EmptyContentSecurityPolicy { } /** + * Domain to where forms can submit + * + * @since 17.0.0 + * + * @return $this + */ + public function addAllowedFormActionDomain(string $domain) { + $this->allowedFormActionDomains[] = $domain; + return $this; + } + + /** + * Remove domain to where forms can submit + * + * @return $this + * @since 17.0.0 + */ + public function disallowFormActionDomain(string $domain) { + $this->allowedFormActionDomains = array_diff($this->allowedFormActionDomains, [$domain]); + return $this; + } + + /** * Add location to report CSP violations to * * @param string $location @@ -491,6 +516,11 @@ class EmptyContentSecurityPolicy { $policy .= ';'; } + if (!empty($this->allowedFormActionDomains)) { + $policy .= 'form-action ' . implode(' ', $this->allowedFormActionDomains); + $policy .= ';'; + } + if (!empty($this->reportTo)) { $policy .= 'report-uri ' . implode(' ', $this->reportTo); $policy .= ';'; |