diff options
| author | Thomas Citharel <tcit@tcit.fr> | 2017-06-19 13:55:46 +0200 |
|---|---|---|
| committer | Thomas Citharel <tcit@tcit.fr> | 2017-09-15 15:23:10 +0200 |
| commit | ecf347bd1aaaeb2cd11b8ffbc60da099c68f1d83 (patch) | |
| tree | c18d1ad5792a45f415a38604ef1c3adb3456f901 /lib | |
| parent | 8500e114575d7e02ffda8070980cc77ba147e60f (diff) | |
| download | nextcloud-server-ecf347bd1aaaeb2cd11b8ffbc60da099c68f1d83.tar.gz nextcloud-server-ecf347bd1aaaeb2cd11b8ffbc60da099c68f1d83.zip | |
Add CSP frame-ancestors support
Didn't set the @since annotation yet.
Signed-off-by: Thomas Citharel <tcit@tcit.fr>
Diffstat (limited to 'lib')
3 files changed, 48 insertions, 0 deletions
diff --git a/lib/private/Security/CSP/ContentSecurityPolicy.php b/lib/private/Security/CSP/ContentSecurityPolicy.php index 47314609498..a6892505520 100644 --- a/lib/private/Security/CSP/ContentSecurityPolicy.php +++ b/lib/private/Security/CSP/ContentSecurityPolicy.php @@ -197,4 +197,18 @@ class ContentSecurityPolicy extends \OCP\AppFramework\Http\ContentSecurityPolicy $this->allowedChildSrcDomains = $allowedChildSrcDomains; } + /** + * @return array + */ + public function getAllowedFrameAncestors() { + return $this->allowedFrameAncestors; + } + + /** + * @param array $allowedFrameAncestors + */ + public function setAllowedFrameAncestors($allowedFrameAncestors) { + $this->allowedFrameAncestors = $allowedFrameAncestors; + } + } diff --git a/lib/public/AppFramework/Http/ContentSecurityPolicy.php b/lib/public/AppFramework/Http/ContentSecurityPolicy.php index 17844497f94..0a792fa2630 100644 --- a/lib/public/AppFramework/Http/ContentSecurityPolicy.php +++ b/lib/public/AppFramework/Http/ContentSecurityPolicy.php @@ -84,4 +84,7 @@ class ContentSecurityPolicy extends EmptyContentSecurityPolicy { ]; /** @var array Domains from which web-workers and nested browsing content can load elements */ protected $allowedChildSrcDomains = []; + + /** @var array Domains which can embeed this Nextcloud instance */ + protected $allowedFrameAncestors = []; } diff --git a/lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php b/lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php index 64d4eb6e5d0..d0536259f7a 100644 --- a/lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php +++ b/lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php @@ -68,6 +68,8 @@ class EmptyContentSecurityPolicy { protected $allowedFontDomains = null; /** @var array Domains from which web-workers and nested browsing content can load elements */ protected $allowedChildSrcDomains = null; + /** @var array Domains which can embeed this Nextcloud instance */ + protected $allowedFrameAncestors = null; /** * Whether inline JavaScript snippets are allowed or forbidden @@ -327,6 +329,30 @@ class EmptyContentSecurityPolicy { } /** + * Domains which can embeed an iFrame of the Nextcloud instance + * + * @param string $domain + * @return $this + * @since 12.x + */ + public function addAllowedFrameAncestorDomain($domain) { + $this->allowedFrameAncestors[] = $domain; + return $this; + } + + /** + * Domains which can embeed an iFrame of the Nextcloud instance + * + * @param string $domain + * @return $this + * @since 12.x + */ + public function disallowFrameAncestorDomain($domain) { + $this->allowedFrameAncestors = array_diff($this->allowedFrameAncestors, [$domain]); + return $this; + } + + /** * Get the generated Content-Security-Policy as a string * @return string * @since 8.1.0 @@ -405,6 +431,11 @@ class EmptyContentSecurityPolicy { $policy .= ';'; } + if(!empty($this->allowedFrameAncestors)) { + $policy .= 'frame-ancestors ' . implode(' ', $this->allowedFrameAncestors); + $policy .= ';'; + } + return rtrim($policy, ';'); } } |