aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--lib/private/Security/CSP/ContentSecurityPolicy.php8
-rw-r--r--lib/public/AppFramework/Http/ContentSecurityPolicy.php2
-rw-r--r--lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php18
-rw-r--r--lib/public/AppFramework/Http/StrictContentSecurityPolicy.php2
-rw-r--r--tests/lib/AppFramework/Http/ContentSecurityPolicyTest.php7
-rw-r--r--tests/lib/AppFramework/Http/EmptyContentSecurityPolicyTest.php7
6 files changed, 43 insertions, 1 deletions
diff --git a/lib/private/Security/CSP/ContentSecurityPolicy.php b/lib/private/Security/CSP/ContentSecurityPolicy.php
index 8d9551c8978..e2d115cf34e 100644
--- a/lib/private/Security/CSP/ContentSecurityPolicy.php
+++ b/lib/private/Security/CSP/ContentSecurityPolicy.php
@@ -64,6 +64,14 @@ class ContentSecurityPolicy extends \OCP\AppFramework\Http\ContentSecurityPolicy
$this->evalScriptAllowed = $evalScriptAllowed;
}
+ public function isEvalWasmAllowed(): ?bool {
+ return $this->evalWasmAllowed;
+ }
+
+ public function setEvalWasmAllowed(bool $evalWasmAllowed): void {
+ $this->evalWasmAllowed = $evalWasmAllowed;
+ }
+
/**
* @return array
*/
diff --git a/lib/public/AppFramework/Http/ContentSecurityPolicy.php b/lib/public/AppFramework/Http/ContentSecurityPolicy.php
index 0e3a6a705d5..f17dd9bd270 100644
--- a/lib/public/AppFramework/Http/ContentSecurityPolicy.php
+++ b/lib/public/AppFramework/Http/ContentSecurityPolicy.php
@@ -44,6 +44,8 @@ class ContentSecurityPolicy extends EmptyContentSecurityPolicy {
protected $inlineScriptAllowed = false;
/** @var bool Whether eval in JS scripts is allowed */
protected $evalScriptAllowed = false;
+ /** @var bool Whether WebAssembly compilation is allowed */
+ protected ?bool $evalWasmAllowed = false;
/** @var bool Whether strict-dynamic should be set */
protected $strictDynamicAllowed = false;
/** @var array Domains from which scripts can get loaded */
diff --git a/lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php b/lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php
index 035b4f01f60..7e1de2ef2eb 100644
--- a/lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php
+++ b/lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php
@@ -47,6 +47,8 @@ class EmptyContentSecurityPolicy {
* @link https://github.com/owncloud/core/issues/11925
*/
protected $evalScriptAllowed = null;
+ /** @var bool Whether WebAssembly compilation is allowed */
+ protected ?bool $evalWasmAllowed = null;
/** @var array Domains from which scripts can get loaded */
protected $allowedScriptDomains = null;
/**
@@ -117,6 +119,17 @@ class EmptyContentSecurityPolicy {
}
/**
+ * Whether WebAssembly compilation is allowed or forbidden
+ * @param bool $state
+ * @return $this
+ * @since 28.0.0
+ */
+ public function allowEvalWasm(bool $state = true) {
+ $this->evalWasmAllowed = $state;
+ return $this;
+ }
+
+ /**
* Allows to execute JavaScript files from a specific domain. Use * to
* allow JavaScript from all domains.
* @param string $domain Domain to whitelist. Any passed value needs to be properly sanitized.
@@ -433,7 +446,7 @@ class EmptyContentSecurityPolicy {
$policy .= "base-uri 'none';";
$policy .= "manifest-src 'self';";
- if (!empty($this->allowedScriptDomains) || $this->evalScriptAllowed) {
+ if (!empty($this->allowedScriptDomains) || $this->evalScriptAllowed || $this->evalWasmAllowed) {
$policy .= 'script-src ';
if (is_string($this->useJsNonce)) {
if ($this->strictDynamicAllowed) {
@@ -453,6 +466,9 @@ class EmptyContentSecurityPolicy {
if ($this->evalScriptAllowed) {
$policy .= ' \'unsafe-eval\'';
}
+ if ($this->evalWasmAllowed) {
+ $policy .= ' \'wasm-unsafe-eval\'';
+ }
$policy .= ';';
}
diff --git a/lib/public/AppFramework/Http/StrictContentSecurityPolicy.php b/lib/public/AppFramework/Http/StrictContentSecurityPolicy.php
index ed137bad930..96c03673d5c 100644
--- a/lib/public/AppFramework/Http/StrictContentSecurityPolicy.php
+++ b/lib/public/AppFramework/Http/StrictContentSecurityPolicy.php
@@ -46,6 +46,8 @@ class StrictContentSecurityPolicy extends EmptyContentSecurityPolicy {
protected $inlineScriptAllowed = false;
/** @var bool Whether eval in JS scripts is allowed */
protected $evalScriptAllowed = false;
+ /** @var bool Whether WebAssembly compilation is allowed */
+ protected ?bool $evalWasmAllowed = false;
/** @var array Domains from which scripts can get loaded */
protected $allowedScriptDomains = [
'\'self\'',
diff --git a/tests/lib/AppFramework/Http/ContentSecurityPolicyTest.php b/tests/lib/AppFramework/Http/ContentSecurityPolicyTest.php
index 53632da93d1..8e6ac32b416 100644
--- a/tests/lib/AppFramework/Http/ContentSecurityPolicyTest.php
+++ b/tests/lib/AppFramework/Http/ContentSecurityPolicyTest.php
@@ -456,6 +456,13 @@ class ContentSecurityPolicyTest extends \Test\TestCase {
$this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
}
+ public function testGetPolicyUnsafeWasmEval() {
+ $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self' 'wasm-unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
+
+ $this->contentSecurityPolicy->allowEvalWasm(true);
+ $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
+ }
+
public function testGetPolicyNonce() {
$nonce = 'my-nonce';
$expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'nonce-".base64_encode($nonce) . "';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
diff --git a/tests/lib/AppFramework/Http/EmptyContentSecurityPolicyTest.php b/tests/lib/AppFramework/Http/EmptyContentSecurityPolicyTest.php
index dc10d095ab5..328e464f981 100644
--- a/tests/lib/AppFramework/Http/EmptyContentSecurityPolicyTest.php
+++ b/tests/lib/AppFramework/Http/EmptyContentSecurityPolicyTest.php
@@ -75,6 +75,13 @@ class EmptyContentSecurityPolicyTest extends \Test\TestCase {
$this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
}
+ public function testGetPolicyScriptAllowWasmEval() {
+ $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'wasm-unsafe-eval';frame-ancestors 'none'";
+
+ $this->contentSecurityPolicy->allowEvalWasm(true);
+ $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
+ }
+
public function testGetPolicyStyleDomainValid() {
$expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';style-src www.owncloud.com;frame-ancestors 'none'";
generated by cgit v1.2.3 (git 2.39.1) at 2025-02-14 09:00:11 +0000