Merge pull request #31503 from nextcloud/enh/strict-dynamic-csp

Allow to set a strict-dynamic CSP through the API

3 files changed, 24 insertions, 0 deletions

diff --git a/lib/private/Security/CSP/ContentSecurityPolicy.php b/lib/private/Security/CSP/ContentSecurityPolicy.php
index 78517f639a7..8a72934d4c9 100644
--- a/lib/private/Security/CSP/ContentSecurityPolicy.php
+++ b/lib/private/Security/CSP/ContentSecurityPolicy.php
@@ -244,4 +244,11 @@ class ContentSecurityPolicy extends \OCP\AppFramework\Http\ContentSecurityPolicy
 	public function setReportTo(array $reportTo) {
 		$this->reportTo = $reportTo;
 	}
+
+	/**
+	 * @param boolean $strictDynamicAllowed
+	 */
+	public function setStrictDynamicAllowed(bool $strictDynamicAllowed) {
+		$this->strictDynamicAllowed = $strictDynamicAllowed;
+	}
 }
diff --git a/lib/public/AppFramework/Http/ContentSecurityPolicy.php b/lib/public/AppFramework/Http/ContentSecurityPolicy.php
index d30e3b50c7f..3a91e3dc2a7 100644
--- a/lib/public/AppFramework/Http/ContentSecurityPolicy.php
+++ b/lib/public/AppFramework/Http/ContentSecurityPolicy.php
@@ -44,6 +44,8 @@ class ContentSecurityPolicy extends EmptyContentSecurityPolicy {
 	protected $inlineScriptAllowed = false;
 	/** @var bool Whether eval in JS scripts is allowed */
 	protected $evalScriptAllowed = false;
+	/** @var bool Whether strict-dynamic should be set */
+	protected $strictDynamicAllowed = null;
 	/** @var array Domains from which scripts can get loaded */
 	protected $allowedScriptDomains = [
 		'\'self\'',
diff --git a/lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php b/lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php
index e0ef79049a4..98a42aeabb5 100644
--- a/lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php
+++ b/lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php
@@ -41,6 +41,8 @@ class EmptyContentSecurityPolicy {
 	protected $inlineScriptAllowed = null;
 	/** @var string Whether JS nonces should be used */
 	protected $useJsNonce = null;
+	/** @var bool Whether strict-dynamic should be used */
+	protected $strictDynamicAllowed = null;
 	/**
 	 * @var bool Whether eval in JS scripts is allowed
 	 * TODO: Disallow per default
@@ -94,6 +96,16 @@ class EmptyContentSecurityPolicy {
 	}
 
 	/**
+	 * @param bool $state
+	 * @return EmptyContentSecurityPolicy
+	 * @since 24.0.0
+	 */
+	public function useStrictDynamic(bool $state = false): self {
+		$this->strictDynamicAllowed = $state;
+		return $this;
+	}
+
+	/**
 	 * Use the according JS nonce
 	 * This method is only for CSPMiddleware, custom values are ignored in mergePolicies of ContentSecurityPolicyManager
 	 *
@@ -438,6 +450,9 @@ class EmptyContentSecurityPolicy {
 		if (!empty($this->allowedScriptDomains) || $this->inlineScriptAllowed || $this->evalScriptAllowed) {
 			$policy .= 'script-src ';
 			if (is_string($this->useJsNonce)) {
+				if ($this->strictDynamicAllowed) {
+					$policy .= '\'strict-dynamic\' ';
+				}
 				$policy .= '\'nonce-'.base64_encode($this->useJsNonce).'\'';
 				$allowedScriptDomains = array_flip($this->allowedScriptDomains);
 				unset($allowedScriptDomains['\'self\'']);