diff options
| author | Julius Härtl <jus@bitgrid.net> | 2022-03-09 14:25:36 +0100 |
|---|---|---|
| committer | Julius Härtl <jus@bitgrid.net> | 2022-03-09 15:10:27 +0100 |
| commit | bd03dd37bec6e94bf1bb8f7329d370c5a68ecb6b (patch) | |
| tree | 54b371050de801f253fde867706529bc7bee6da9 /lib/public | |
| parent | 0825c3ea34675b12bf14dc00354e0ab1c77ecf11 (diff) | |
| download | nextcloud-server-bd03dd37bec6e94bf1bb8f7329d370c5a68ecb6b.tar.gz nextcloud-server-bd03dd37bec6e94bf1bb8f7329d370c5a68ecb6b.zip | |
Allow to set a strict-dynamic CSP through the API
Signed-off-by: Julius Härtl <jus@bitgrid.net>
Diffstat (limited to 'lib/public')
| -rw-r--r-- | lib/public/AppFramework/Http/ContentSecurityPolicy.php | 2 | ||||
| -rw-r--r-- | lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php | 15 |
2 files changed, 17 insertions, 0 deletions
diff --git a/lib/public/AppFramework/Http/ContentSecurityPolicy.php b/lib/public/AppFramework/Http/ContentSecurityPolicy.php index d30e3b50c7f..3a91e3dc2a7 100644 --- a/lib/public/AppFramework/Http/ContentSecurityPolicy.php +++ b/lib/public/AppFramework/Http/ContentSecurityPolicy.php @@ -44,6 +44,8 @@ class ContentSecurityPolicy extends EmptyContentSecurityPolicy { protected $inlineScriptAllowed = false; /** @var bool Whether eval in JS scripts is allowed */ protected $evalScriptAllowed = false; + /** @var bool Whether strict-dynamic should be set */ + protected $strictDynamicAllowed = null; /** @var array Domains from which scripts can get loaded */ protected $allowedScriptDomains = [ '\'self\'', diff --git a/lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php b/lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php index e0ef79049a4..98a42aeabb5 100644 --- a/lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php +++ b/lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php @@ -41,6 +41,8 @@ class EmptyContentSecurityPolicy { protected $inlineScriptAllowed = null; /** @var string Whether JS nonces should be used */ protected $useJsNonce = null; + /** @var bool Whether strict-dynamic should be used */ + protected $strictDynamicAllowed = null; /** * @var bool Whether eval in JS scripts is allowed * TODO: Disallow per default @@ -94,6 +96,16 @@ class EmptyContentSecurityPolicy { } /** + * @param bool $state + * @return EmptyContentSecurityPolicy + * @since 24.0.0 + */ + public function useStrictDynamic(bool $state = false): self { + $this->strictDynamicAllowed = $state; + return $this; + } + + /** * Use the according JS nonce * This method is only for CSPMiddleware, custom values are ignored in mergePolicies of ContentSecurityPolicyManager * @@ -438,6 +450,9 @@ class EmptyContentSecurityPolicy { if (!empty($this->allowedScriptDomains) || $this->inlineScriptAllowed || $this->evalScriptAllowed) { $policy .= 'script-src '; if (is_string($this->useJsNonce)) { + if ($this->strictDynamicAllowed) { + $policy .= '\'strict-dynamic\' '; + } $policy .= '\'nonce-'.base64_encode($this->useJsNonce).'\''; $allowedScriptDomains = array_flip($this->allowedScriptDomains); unset($allowedScriptDomains['\'self\'']); |