diff options
| author | Joas Schilling <213943+nickvergessen@users.noreply.github.com> | 2023-08-11 14:04:49 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2023-08-11 14:04:49 +0200 |
| commit | 9fb08f506fd42fa7b7a143e40e081782fec359d7 (patch) | |
| tree | 504a75e3f95c4bddbc6794f4ed7787caacffce2a /lib | |
| parent | 833489d754d125f06b67df40674b8f5b3da2ee69 (diff) | |
| parent | 41f2d912d26b7155d61c921d4e53ee7d846522ed (diff) | |
| download | nextcloud-server-9fb08f506fd42fa7b7a143e40e081782fec359d7.tar.gz nextcloud-server-9fb08f506fd42fa7b7a143e40e081782fec359d7.zip | |
Merge pull request #38082 from nextcloud/allow-wasm-unsafe-eval-in-csp
Allow "wasm-unsafe-eval" in CSP
Diffstat (limited to 'lib')
4 files changed, 29 insertions, 1 deletions
diff --git a/lib/private/Security/CSP/ContentSecurityPolicy.php b/lib/private/Security/CSP/ContentSecurityPolicy.php index 8d9551c8978..e2d115cf34e 100644 --- a/lib/private/Security/CSP/ContentSecurityPolicy.php +++ b/lib/private/Security/CSP/ContentSecurityPolicy.php @@ -64,6 +64,14 @@ class ContentSecurityPolicy extends \OCP\AppFramework\Http\ContentSecurityPolicy $this->evalScriptAllowed = $evalScriptAllowed; } + public function isEvalWasmAllowed(): ?bool { + return $this->evalWasmAllowed; + } + + public function setEvalWasmAllowed(bool $evalWasmAllowed): void { + $this->evalWasmAllowed = $evalWasmAllowed; + } + /** * @return array */ diff --git a/lib/public/AppFramework/Http/ContentSecurityPolicy.php b/lib/public/AppFramework/Http/ContentSecurityPolicy.php index 0e3a6a705d5..f17dd9bd270 100644 --- a/lib/public/AppFramework/Http/ContentSecurityPolicy.php +++ b/lib/public/AppFramework/Http/ContentSecurityPolicy.php @@ -44,6 +44,8 @@ class ContentSecurityPolicy extends EmptyContentSecurityPolicy { protected $inlineScriptAllowed = false; /** @var bool Whether eval in JS scripts is allowed */ protected $evalScriptAllowed = false; + /** @var bool Whether WebAssembly compilation is allowed */ + protected ?bool $evalWasmAllowed = false; /** @var bool Whether strict-dynamic should be set */ protected $strictDynamicAllowed = false; /** @var array Domains from which scripts can get loaded */ diff --git a/lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php b/lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php index 035b4f01f60..7e1de2ef2eb 100644 --- a/lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php +++ b/lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php @@ -47,6 +47,8 @@ class EmptyContentSecurityPolicy { * @link https://github.com/owncloud/core/issues/11925 */ protected $evalScriptAllowed = null; + /** @var bool Whether WebAssembly compilation is allowed */ + protected ?bool $evalWasmAllowed = null; /** @var array Domains from which scripts can get loaded */ protected $allowedScriptDomains = null; /** @@ -117,6 +119,17 @@ class EmptyContentSecurityPolicy { } /** + * Whether WebAssembly compilation is allowed or forbidden + * @param bool $state + * @return $this + * @since 28.0.0 + */ + public function allowEvalWasm(bool $state = true) { + $this->evalWasmAllowed = $state; + return $this; + } + + /** * Allows to execute JavaScript files from a specific domain. Use * to * allow JavaScript from all domains. * @param string $domain Domain to whitelist. Any passed value needs to be properly sanitized. @@ -433,7 +446,7 @@ class EmptyContentSecurityPolicy { $policy .= "base-uri 'none';"; $policy .= "manifest-src 'self';"; - if (!empty($this->allowedScriptDomains) || $this->evalScriptAllowed) { + if (!empty($this->allowedScriptDomains) || $this->evalScriptAllowed || $this->evalWasmAllowed) { $policy .= 'script-src '; if (is_string($this->useJsNonce)) { if ($this->strictDynamicAllowed) { @@ -453,6 +466,9 @@ class EmptyContentSecurityPolicy { if ($this->evalScriptAllowed) { $policy .= ' \'unsafe-eval\''; } + if ($this->evalWasmAllowed) { + $policy .= ' \'wasm-unsafe-eval\''; + } $policy .= ';'; } diff --git a/lib/public/AppFramework/Http/StrictContentSecurityPolicy.php b/lib/public/AppFramework/Http/StrictContentSecurityPolicy.php index ed137bad930..96c03673d5c 100644 --- a/lib/public/AppFramework/Http/StrictContentSecurityPolicy.php +++ b/lib/public/AppFramework/Http/StrictContentSecurityPolicy.php @@ -46,6 +46,8 @@ class StrictContentSecurityPolicy extends EmptyContentSecurityPolicy { protected $inlineScriptAllowed = false; /** @var bool Whether eval in JS scripts is allowed */ protected $evalScriptAllowed = false; + /** @var bool Whether WebAssembly compilation is allowed */ + protected ?bool $evalWasmAllowed = false; /** @var array Domains from which scripts can get loaded */ protected $allowedScriptDomains = [ '\'self\'', |