Add support for 'child-src' directive

This is required when working with stuff such as PDF.js in the files_pdfviewer application. Opt-in only.

Master change only because the stable CSP policies has a failback that allows nearly anything :see_no_evil:

1 files changed, 17 insertions, 0 deletions

diff --git a/lib/public/appframework/http/contentsecuritypolicy.php b/lib/public/appframework/http/contentsecuritypolicy.php
index cb9a241d8af..6778d1035be 100644
--- a/lib/public/appframework/http/contentsecuritypolicy.php
+++ b/lib/public/appframework/http/contentsecuritypolicy.php
@@ -65,6 +65,8 @@ class ContentSecurityPolicy {
 	private $allowedFontDomains = [
 		'\'self\'',
 	];
+	/** @var array Domains from which web-workers and nested browsing content can load elements */
+	private $allowedChildSrcDomains = [];
 
 	/**
 	 * Whether inline JavaScript snippets are allowed or forbidden
@@ -181,6 +183,16 @@ class ContentSecurityPolicy {
 	}
 
 	/**
+	 * Domains from which web-workers and nested browsing content can load elements
+	 * @param string $domain Domain to whitelist. Any passed value needs to be properly sanitized.
+	 * @return $this
+	 */
+	public function addAllowedChildSrcDomain($domain) {
+		$this->allowedChildSrcDomains[] = $domain;
+		return $this;
+	}
+
+	/**
 	 * Get the generated Content-Security-Policy as a string
 	 * @return string
 	 */
@@ -236,6 +248,11 @@ class ContentSecurityPolicy {
 			$policy .= ';';
 		}
 
+		if(!empty($this->allowedChildSrcDomains)) {
+			$policy .= 'child-src ' . implode(' ', $this->allowedChildSrcDomains);
+			$policy .= ';';
+		}
+
 		return rtrim($policy, ';');
 	}
 }