diff options
| author | Lukas Reschke <lukas@owncloud.com> | 2015-02-09 16:30:01 +0100 |
|---|---|---|
| committer | Lukas Reschke <lukas@owncloud.com> | 2015-02-16 11:00:41 +0100 |
| commit | b20174bdad33f619054db08e320e5e546e2834b1 (patch) | |
| tree | d23a1cd064027d81ffe81c0c81a1ac943c756be9 /lib/public/appframework/http/response.php | |
| parent | 786ff6a5a323e2efe54aa6b736c3fbdf12813d79 (diff) | |
| download | nextcloud-server-b20174bdad33f619054db08e320e5e546e2834b1.tar.gz nextcloud-server-b20174bdad33f619054db08e320e5e546e2834b1.zip | |
Allow AppFramework applications to specify a custom CSP header
This change allows AppFramework applications to specify a custom CSP header for example when the default policy is too strict. Furthermore this allows us to partially migrate away from CSS and allowed eval() in our JavaScript components.
Legacy ownCloud components will still use the previous policy. Application developers can use this as following in their controllers:
```php
$response = new TemplateResponse('activity', 'list', []);
$cspHelper = new ContentSecurityPolicyHelper();
$cspHelper->addAllowedScriptDomain('www.owncloud.org');
$response->addHeader('Content-Security-Policy', $cspHelper->getPolicy());
return $response;
```
Fixes https://github.com/owncloud/core/issues/11857 which is a pre-requisite for https://github.com/owncloud/core/issues/13458 and https://github.com/owncloud/core/issues/11925
Diffstat (limited to 'lib/public/appframework/http/response.php')
| -rw-r--r-- | lib/public/appframework/http/response.php | 30 |
1 files changed, 29 insertions, 1 deletions
diff --git a/lib/public/appframework/http/response.php b/lib/public/appframework/http/response.php index 67e72cff6d9..751c48b4ca9 100644 --- a/lib/public/appframework/http/response.php +++ b/lib/public/appframework/http/response.php @@ -72,6 +72,9 @@ class Response { */ private $ETag; + /** @var ContentSecurityPolicy|null Used Content-Security-Policy */ + private $contentSecurityPolicy = null; + /** * Caches the response @@ -186,13 +189,19 @@ class Response { * @return array the headers */ public function getHeaders() { - $mergeWith = array(); + $mergeWith = []; if($this->lastModified) { $mergeWith['Last-Modified'] = $this->lastModified->format(\DateTime::RFC2822); } + // Build Content-Security-Policy and use default if none has been specified + if(is_null($this->contentSecurityPolicy)) { + $this->setContentSecurityPolicy(new ContentSecurityPolicy()); + } + $this->headers['Content-Security-Policy'] = $this->contentSecurityPolicy->buildPolicy(); + if($this->ETag) { $mergeWith['ETag'] = '"' . $this->ETag . '"'; } @@ -221,6 +230,25 @@ class Response { return $this; } + /** + * Set a Content-Security-Policy + * @param ContentSecurityPolicy $csp Policy to set for the response object + * @return $this + */ + public function setContentSecurityPolicy(ContentSecurityPolicy $csp) { + $this->contentSecurityPolicy = $csp; + return $this; + } + + /** + * Get the currently used Content-Security-Policy + * @return ContentSecurityPolicy|null Used Content-Security-Policy or null if + * none specified. + */ + public function getContentSecurityPolicy() { + return $this->contentSecurityPolicy; + } + /** * Get response status |