1 files changed, 54 insertions, 0 deletions

diff --git a/lib/private/AppFramework/Middleware/Security/CSPMiddleware.php b/lib/private/AppFramework/Middleware/Security/CSPMiddleware.php
new file mode 100644
index 00000000000..e88c9563c00
--- /dev/null
+++ b/lib/private/AppFramework/Middleware/Security/CSPMiddleware.php
@@ -0,0 +1,54 @@
+<?php
+
+declare(strict_types=1);
+
+/**
+ * SPDX-FileCopyrightText: 2019 Nextcloud GmbH and Nextcloud contributors
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+namespace OC\AppFramework\Middleware\Security;
+
+use OC\Security\CSP\ContentSecurityPolicyManager;
+use OC\Security\CSP\ContentSecurityPolicyNonceManager;
+use OCP\AppFramework\Controller;
+use OCP\AppFramework\Http\ContentSecurityPolicy;
+use OCP\AppFramework\Http\EmptyContentSecurityPolicy;
+use OCP\AppFramework\Http\Response;
+use OCP\AppFramework\Middleware;
+
+class CSPMiddleware extends Middleware {
+
+	public function __construct(
+		private ContentSecurityPolicyManager $policyManager,
+		private ContentSecurityPolicyNonceManager $cspNonceManager,
+	) {
+	}
+
+	/**
+	 * Performs the default CSP modifications that may be injected by other
+	 * applications
+	 *
+	 * @param Controller $controller
+	 * @param string $methodName
+	 * @param Response $response
+	 * @return Response
+	 */
+	public function afterController($controller, $methodName, Response $response): Response {
+		$policy = !is_null($response->getContentSecurityPolicy()) ? $response->getContentSecurityPolicy() : new ContentSecurityPolicy();
+
+		if (get_class($policy) === EmptyContentSecurityPolicy::class) {
+			return $response;
+		}
+
+		$defaultPolicy = $this->policyManager->getDefaultPolicy();
+		$defaultPolicy = $this->policyManager->mergePolicies($defaultPolicy, $policy);
+
+		if ($this->cspNonceManager->browserSupportsCspV3()) {
+			$defaultPolicy->useJsNonce($this->cspNonceManager->getNonce());
+		}
+
+		$response->setContentSecurityPolicy($defaultPolicy);
+
+		return $response;
+	}
+}