diff options
author | Lukas Reschke <lukas@statuscode.ch> | 2017-09-18 14:25:44 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2017-09-18 14:25:44 +0200 |
commit | 53057f2bd0fd1e7239ebd5cb6f82eb2766f642ee (patch) | |
tree | 11726c07a58e3ead653e6551b2448ad689a39c95 /lib | |
parent | 8b1eaba417553410871ebec64f78a96cefaa6f6d (diff) | |
parent | eb51c46549d1fe01fe8fdbefd2303bf597c88b54 (diff) | |
download | nextcloud-server-53057f2bd0fd1e7239ebd5cb6f82eb2766f642ee.tar.gz nextcloud-server-53057f2bd0fd1e7239ebd5cb6f82eb2766f642ee.zip |
Merge pull request #5462 from nextcloud/add-frameancestor-support
Add CSP frame-ancestors support
Diffstat (limited to 'lib')
3 files changed, 48 insertions, 0 deletions
diff --git a/lib/private/Security/CSP/ContentSecurityPolicy.php b/lib/private/Security/CSP/ContentSecurityPolicy.php index 47314609498..a6892505520 100644 --- a/lib/private/Security/CSP/ContentSecurityPolicy.php +++ b/lib/private/Security/CSP/ContentSecurityPolicy.php @@ -197,4 +197,18 @@ class ContentSecurityPolicy extends \OCP\AppFramework\Http\ContentSecurityPolicy $this->allowedChildSrcDomains = $allowedChildSrcDomains; } + /** + * @return array + */ + public function getAllowedFrameAncestors() { + return $this->allowedFrameAncestors; + } + + /** + * @param array $allowedFrameAncestors + */ + public function setAllowedFrameAncestors($allowedFrameAncestors) { + $this->allowedFrameAncestors = $allowedFrameAncestors; + } + } diff --git a/lib/public/AppFramework/Http/ContentSecurityPolicy.php b/lib/public/AppFramework/Http/ContentSecurityPolicy.php index 17844497f94..b17dc070fe1 100644 --- a/lib/public/AppFramework/Http/ContentSecurityPolicy.php +++ b/lib/public/AppFramework/Http/ContentSecurityPolicy.php @@ -84,4 +84,7 @@ class ContentSecurityPolicy extends EmptyContentSecurityPolicy { ]; /** @var array Domains from which web-workers and nested browsing content can load elements */ protected $allowedChildSrcDomains = []; + + /** @var array Domains which can embed this Nextcloud instance */ + protected $allowedFrameAncestors = []; } diff --git a/lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php b/lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php index 64d4eb6e5d0..5902d4ddbeb 100644 --- a/lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php +++ b/lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php @@ -68,6 +68,8 @@ class EmptyContentSecurityPolicy { protected $allowedFontDomains = null; /** @var array Domains from which web-workers and nested browsing content can load elements */ protected $allowedChildSrcDomains = null; + /** @var array Domains which can embed this Nextcloud instance */ + protected $allowedFrameAncestors = null; /** * Whether inline JavaScript snippets are allowed or forbidden @@ -327,6 +329,30 @@ class EmptyContentSecurityPolicy { } /** + * Domains which can embed an iFrame of the Nextcloud instance + * + * @param string $domain + * @return $this + * @since 13.0.0 + */ + public function addAllowedFrameAncestorDomain($domain) { + $this->allowedFrameAncestors[] = $domain; + return $this; + } + + /** + * Domains which can embed an iFrame of the Nextcloud instance + * + * @param string $domain + * @return $this + * @since 13.0.0 + */ + public function disallowFrameAncestorDomain($domain) { + $this->allowedFrameAncestors = array_diff($this->allowedFrameAncestors, [$domain]); + return $this; + } + + /** * Get the generated Content-Security-Policy as a string * @return string * @since 8.1.0 @@ -405,6 +431,11 @@ class EmptyContentSecurityPolicy { $policy .= ';'; } + if(!empty($this->allowedFrameAncestors)) { + $policy .= 'frame-ancestors ' . implode(' ', $this->allowedFrameAncestors); + $policy .= ';'; + } + return rtrim($policy, ';'); } } |