diff options
author | Roeland Jago Douma <roeland@famdouma.nl> | 2019-07-30 23:13:46 +0200 |
---|---|---|
committer | Roeland Jago Douma <roeland@famdouma.nl> | 2019-07-31 15:16:10 +0200 |
commit | f94ee725073d22302740800b252f9e70675ae46f (patch) | |
tree | 9dc5a1ee47eab19ecf670eafc8cbca02ffd67faf /lib | |
parent | f1066fd769cd1e07d1aa67fb620d390d67de2bd9 (diff) | |
download | nextcloud-server-f94ee725073d22302740800b252f9e70675ae46f.tar.gz nextcloud-server-f94ee725073d22302740800b252f9e70675ae46f.zip |
Add form-action CSP element
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
Diffstat (limited to 'lib')
-rw-r--r-- | lib/private/Security/CSP/ContentSecurityPolicy.php | 9 | ||||
-rw-r--r-- | lib/public/AppFramework/Http/ContentSecurityPolicy.php | 5 | ||||
-rw-r--r-- | lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php | 30 |
3 files changed, 44 insertions, 0 deletions
diff --git a/lib/private/Security/CSP/ContentSecurityPolicy.php b/lib/private/Security/CSP/ContentSecurityPolicy.php index a066c986f15..9d1d043a165 100644 --- a/lib/private/Security/CSP/ContentSecurityPolicy.php +++ b/lib/private/Security/CSP/ContentSecurityPolicy.php @@ -225,6 +225,15 @@ class ContentSecurityPolicy extends \OCP\AppFramework\Http\ContentSecurityPolicy $this->allowedWorkerSrcDomains = $allowedWorkerSrcDomains; } + public function getAllowedFormActionDomains(): array { + return $this->allowedFormActionDomains; + } + + public function setAllowedFormActionDomains(array $allowedFormActionDomains): void { + $this->allowedFormActionDomains = $allowedFormActionDomains; + } + + public function getReportTo(): array { return $this->reportTo; } diff --git a/lib/public/AppFramework/Http/ContentSecurityPolicy.php b/lib/public/AppFramework/Http/ContentSecurityPolicy.php index c12fbc7561e..0bb776a08e6 100644 --- a/lib/public/AppFramework/Http/ContentSecurityPolicy.php +++ b/lib/public/AppFramework/Http/ContentSecurityPolicy.php @@ -93,6 +93,11 @@ class ContentSecurityPolicy extends EmptyContentSecurityPolicy { /** @var array Domains from which web-workers can be loaded */ protected $allowedWorkerSrcDomains = []; + /** @var array Domains which can be used as target for forms */ + protected $allowedFormActionDomains = [ + '\'self\'', + ]; + /** @var array Locations to report violations to */ protected $reportTo = []; } diff --git a/lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php b/lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php index 0a77e27d8c0..de892aacf26 100644 --- a/lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php +++ b/lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php @@ -75,6 +75,8 @@ class EmptyContentSecurityPolicy { protected $allowedFrameAncestors = null; /** @var array Domains from which web-workers can be loaded */ protected $allowedWorkerSrcDomains = null; + /** @var array Domains which can be used as target for forms */ + protected $allowedFormActionDomains = null; /** @var array Locations to report violations to */ protected $reportTo = null; @@ -387,6 +389,29 @@ class EmptyContentSecurityPolicy { } /** + * Domain to where forms can submit + * + * @since 17.0.0 + * + * @return $this + */ + public function addAllowedFormActionDomain(string $domain) { + $this->allowedFormActionDomains[] = $domain; + return $this; + } + + /** + * Remove domain to where forms can submit + * + * @return $this + * @since 17.0.0 + */ + public function disallowFormActionDomain(string $domain) { + $this->allowedFormActionDomains = array_diff($this->allowedFormActionDomains, [$domain]); + return $this; + } + + /** * Add location to report CSP violations to * * @param string $location @@ -491,6 +516,11 @@ class EmptyContentSecurityPolicy { $policy .= ';'; } + if (!empty($this->allowedFormActionDomains)) { + $policy .= 'form-action ' . implode(' ', $this->allowedFormActionDomains); + $policy .= ';'; + } + if (!empty($this->reportTo)) { $policy .= 'report-uri ' . implode(' ', $this->reportTo); $policy .= ';'; |