diff options
| author | Daniel Calviño Sánchez <danxuliu@gmail.com> | 2023-05-04 16:54:23 +0200 |
|---|---|---|
| committer | Daniel Calviño Sánchez <danxuliu@gmail.com> | 2023-08-10 02:38:41 +0200 |
| commit | 41f2d912d26b7155d61c921d4e53ee7d846522ed (patch) | |
| tree | a500e8a6b5532533babf156789345e19b531c2d7 /tests/lib/AppFramework/Http | |
| parent | 9fda40f92a6c4cba82246dbbc2a6602c2a28e0f1 (diff) | |
| download | nextcloud-server-41f2d912d26b7155d61c921d4e53ee7d846522ed.tar.gz nextcloud-server-41f2d912d26b7155d61c921d4e53ee7d846522ed.zip | |
Allow "wasm-unsafe-eval" in CSP
If a page has a Content Security Policy header and the `script-src` (or
`default-src`) directive does not contain neither `wasm-unsafe-eval` nor
`unsafe-eval` loading and executing WebAssembly is blocked in the page
(although it is still possible to load and execute WebAssembly in a
worker thread).
Although the Nextcloud classes to manage the CSP already supported
allowing `unsafe-eval` this affects not only WebAssembly, but also the
`eval` operation in JavaScript.
To make possible to allow WebAssembly execution without allowing
JavaScript `eval` this commit adds support for allowing
`wasm-unsafe-eval`.
Signed-off-by: Daniel Calviño Sánchez <danxuliu@gmail.com>
Diffstat (limited to 'tests/lib/AppFramework/Http')
| -rw-r--r-- | tests/lib/AppFramework/Http/ContentSecurityPolicyTest.php | 7 | ||||
| -rw-r--r-- | tests/lib/AppFramework/Http/EmptyContentSecurityPolicyTest.php | 7 |
2 files changed, 14 insertions, 0 deletions
diff --git a/tests/lib/AppFramework/Http/ContentSecurityPolicyTest.php b/tests/lib/AppFramework/Http/ContentSecurityPolicyTest.php index 53632da93d1..8e6ac32b416 100644 --- a/tests/lib/AppFramework/Http/ContentSecurityPolicyTest.php +++ b/tests/lib/AppFramework/Http/ContentSecurityPolicyTest.php @@ -456,6 +456,13 @@ class ContentSecurityPolicyTest extends \Test\TestCase { $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy()); } + public function testGetPolicyUnsafeWasmEval() { + $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self' 'wasm-unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'"; + + $this->contentSecurityPolicy->allowEvalWasm(true); + $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy()); + } + public function testGetPolicyNonce() { $nonce = 'my-nonce'; $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'nonce-".base64_encode($nonce) . "';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'"; diff --git a/tests/lib/AppFramework/Http/EmptyContentSecurityPolicyTest.php b/tests/lib/AppFramework/Http/EmptyContentSecurityPolicyTest.php index dc10d095ab5..328e464f981 100644 --- a/tests/lib/AppFramework/Http/EmptyContentSecurityPolicyTest.php +++ b/tests/lib/AppFramework/Http/EmptyContentSecurityPolicyTest.php @@ -75,6 +75,13 @@ class EmptyContentSecurityPolicyTest extends \Test\TestCase { $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy()); } + public function testGetPolicyScriptAllowWasmEval() { + $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'wasm-unsafe-eval';frame-ancestors 'none'"; + + $this->contentSecurityPolicy->allowEvalWasm(true); + $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy()); + } + public function testGetPolicyStyleDomainValid() { $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';style-src www.owncloud.com;frame-ancestors 'none'"; |