diff options
4 files changed, 46 insertions, 0 deletions
diff --git a/lib/private/Security/CSP/ContentSecurityPolicy.php b/lib/private/Security/CSP/ContentSecurityPolicy.php index cae247f9f4f..8fd4df05c31 100644 --- a/lib/private/Security/CSP/ContentSecurityPolicy.php +++ b/lib/private/Security/CSP/ContentSecurityPolicy.php @@ -223,4 +223,12 @@ class ContentSecurityPolicy extends \OCP\AppFramework\Http\ContentSecurityPolicy $this->allowedWorkerSrcDomains = $allowedWorkerSrcDomains; } + public function getReportTo(): array { + return $this->reportTo; + } + + public function setReportTo(array $reportTo) { + $this->reportTo = $reportTo; + } + } diff --git a/lib/public/AppFramework/Http/ContentSecurityPolicy.php b/lib/public/AppFramework/Http/ContentSecurityPolicy.php index 02a52c6c49d..597069fdaaf 100644 --- a/lib/public/AppFramework/Http/ContentSecurityPolicy.php +++ b/lib/public/AppFramework/Http/ContentSecurityPolicy.php @@ -90,4 +90,7 @@ class ContentSecurityPolicy extends EmptyContentSecurityPolicy { /** @var array Domains from which web-workers can be loaded */ protected $allowedWorkerSrcDomains = []; + + /** @var array Locations to report violations to */ + protected $reportTo = []; } diff --git a/lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php b/lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php index ddc7918d094..3fcef1d0efd 100644 --- a/lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php +++ b/lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php @@ -76,6 +76,9 @@ class EmptyContentSecurityPolicy { /** @var array Domains from which web-workers can be loaded */ protected $allowedWorkerSrcDomains = null; + /** @var array Locations to report violations to */ + protected $reportTo = null; + /** * Whether inline JavaScript snippets are allowed or forbidden * @param bool $state @@ -384,6 +387,18 @@ class EmptyContentSecurityPolicy { } /** + * Add location to report CSP violations to + * + * @param string $location + * @return $this + * @since 15.0.0 + */ + public function addReportTo(string $location) { + $this->reportTo[] = $location; + return $this; + } + + /** * Get the generated Content-Security-Policy as a string * @return string * @since 8.1.0 @@ -472,6 +487,11 @@ class EmptyContentSecurityPolicy { $policy .= ';'; } + if (!empty($this->reportTo)) { + $policy .= 'report-uri ' . implode(' ', $this->reportTo); + $policy .= ';'; + } + return rtrim($policy, ';'); } } diff --git a/tests/lib/AppFramework/Http/EmptyContentSecurityPolicyTest.php b/tests/lib/AppFramework/Http/EmptyContentSecurityPolicyTest.php index 7c30df730d3..7e86903892f 100644 --- a/tests/lib/AppFramework/Http/EmptyContentSecurityPolicyTest.php +++ b/tests/lib/AppFramework/Http/EmptyContentSecurityPolicyTest.php @@ -451,4 +451,19 @@ class EmptyContentSecurityPolicyTest extends \Test\TestCase { $this->contentSecurityPolicy->addAllowedScriptDomain("'self'"); $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy()); } + + public function testGetPolicyWithReportUri() { + $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';report-uri https://my-report-uri.com"; + + $this->contentSecurityPolicy->addReportTo("https://my-report-uri.com"); + $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy()); + } + + public function testGetPolicyWithMultipleReportUri() { + $expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';report-uri https://my-report-uri.com https://my-other-report-uri.com"; + + $this->contentSecurityPolicy->addReportTo("https://my-report-uri.com"); + $this->contentSecurityPolicy->addReportTo("https://my-other-report-uri.com"); + $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy()); + } } |