3 files changed, 68 insertions, 202 deletions
diff --git a/lib/private/Security/CSP/ContentSecurityPolicy.php b/lib/private/Security/CSP/ContentSecurityPolicy.php
index 8d9551c8978..890251db040 100644
--- a/lib/private/Security/CSP/ContentSecurityPolicy.php
+++ b/lib/private/Security/CSP/ContentSecurityPolicy.php
@@ -1,28 +1,10 @@
 <?php
 
 declare(strict_types=1);
-
 /**
- * @copyright Copyright (c) 2016, ownCloud, Inc.
- *
- * @author Lukas Reschke <lukas@statuscode.ch>
- * @author Roeland Jago Douma <roeland@famdouma.nl>
- * @author Thomas Citharel <nextcloud@tcit.fr>
- *
- * @license AGPL-3.0
- *
- * This code is free software: you can redistribute it and/or modify
- * it under the terms of the GNU Affero General Public License, version 3,
- * as published by the Free Software Foundation.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU Affero General Public License for more details.
- *
- * You should have received a copy of the GNU Affero General Public License, version 3,
- * along with this program. If not, see <http://www.gnu.org/licenses/>
- *
+ * SPDX-FileCopyrightText: 2016-2024 Nextcloud GmbH and Nextcloud contributors
+ * SPDX-FileCopyrightText: 2016 ownCloud, Inc.
+ * SPDX-License-Identifier: AGPL-3.0-only
  */
 namespace OC\Security\CSP;
 
@@ -34,164 +16,106 @@ namespace OC\Security\CSP;
  * @package OC\Security\CSP
  */
 class ContentSecurityPolicy extends \OCP\AppFramework\Http\ContentSecurityPolicy {
-	/**
-	 * @return boolean
-	 */
 	public function isInlineScriptAllowed(): bool {
 		return $this->inlineScriptAllowed;
 	}
 
-	/**
-	 * @param boolean $inlineScriptAllowed
-	 */
-	public function setInlineScriptAllowed(bool $inlineScriptAllowed) {
+	public function setInlineScriptAllowed(bool $inlineScriptAllowed): void {
 		$this->inlineScriptAllowed = $inlineScriptAllowed;
 	}
 
-	/**
-	 * @return boolean
-	 */
 	public function isEvalScriptAllowed(): bool {
 		return $this->evalScriptAllowed;
 	}
 
 	/**
-	 * @param boolean $evalScriptAllowed
-	 *
 	 * @deprecated 17.0.0 Unsafe eval should not be used anymore.
 	 */
-	public function setEvalScriptAllowed(bool $evalScriptAllowed) {
+	public function setEvalScriptAllowed(bool $evalScriptAllowed): void {
 		$this->evalScriptAllowed = $evalScriptAllowed;
 	}
 
-	/**
-	 * @return array
-	 */
+	public function isEvalWasmAllowed(): ?bool {
+		return $this->evalWasmAllowed;
+	}
+
+	public function setEvalWasmAllowed(bool $evalWasmAllowed): void {
+		$this->evalWasmAllowed = $evalWasmAllowed;
+	}
+
 	public function getAllowedScriptDomains(): array {
 		return $this->allowedScriptDomains;
 	}
 
-	/**
-	 * @param array $allowedScriptDomains
-	 */
-	public function setAllowedScriptDomains(array $allowedScriptDomains) {
+	public function setAllowedScriptDomains(array $allowedScriptDomains): void {
 		$this->allowedScriptDomains = $allowedScriptDomains;
 	}
 
-	/**
-	 * @return boolean
-	 */
 	public function isInlineStyleAllowed(): bool {
 		return $this->inlineStyleAllowed;
 	}
 
-	/**
-	 * @param boolean $inlineStyleAllowed
-	 */
-	public function setInlineStyleAllowed(bool $inlineStyleAllowed) {
+	public function setInlineStyleAllowed(bool $inlineStyleAllowed): void {
 		$this->inlineStyleAllowed = $inlineStyleAllowed;
 	}
 
-	/**
-	 * @return array
-	 */
 	public function getAllowedStyleDomains(): array {
 		return $this->allowedStyleDomains;
 	}
 
-	/**
-	 * @param array $allowedStyleDomains
-	 */
-	public function setAllowedStyleDomains(array $allowedStyleDomains) {
+	public function setAllowedStyleDomains(array $allowedStyleDomains): void {
 		$this->allowedStyleDomains = $allowedStyleDomains;
 	}
 
-	/**
-	 * @return array
-	 */
 	public function getAllowedImageDomains(): array {
 		return $this->allowedImageDomains;
 	}
 
-	/**
-	 * @param array $allowedImageDomains
-	 */
-	public function setAllowedImageDomains(array $allowedImageDomains) {
+	public function setAllowedImageDomains(array $allowedImageDomains): void {
 		$this->allowedImageDomains = $allowedImageDomains;
 	}
 
-	/**
-	 * @return array
-	 */
 	public function getAllowedConnectDomains(): array {
 		return $this->allowedConnectDomains;
 	}
 
-	/**
-	 * @param array $allowedConnectDomains
-	 */
-	public function setAllowedConnectDomains(array $allowedConnectDomains) {
+	public function setAllowedConnectDomains(array $allowedConnectDomains): void {
 		$this->allowedConnectDomains = $allowedConnectDomains;
 	}
 
-	/**
-	 * @return array
-	 */
 	public function getAllowedMediaDomains(): array {
 		return $this->allowedMediaDomains;
 	}
 
-	/**
-	 * @param array $allowedMediaDomains
-	 */
-	public function setAllowedMediaDomains(array $allowedMediaDomains) {
+	public function setAllowedMediaDomains(array $allowedMediaDomains): void {
 		$this->allowedMediaDomains = $allowedMediaDomains;
 	}
 
-	/**
-	 * @return array
-	 */
 	public function getAllowedObjectDomains(): array {
 		return $this->allowedObjectDomains;
 	}
 
-	/**
-	 * @param array $allowedObjectDomains
-	 */
-	public function setAllowedObjectDomains(array $allowedObjectDomains) {
+	public function setAllowedObjectDomains(array $allowedObjectDomains): void {
 		$this->allowedObjectDomains = $allowedObjectDomains;
 	}
 
-	/**
-	 * @return array
-	 */
 	public function getAllowedFrameDomains(): array {
 		return $this->allowedFrameDomains;
 	}
 
-	/**
-	 * @param array $allowedFrameDomains
-	 */
-	public function setAllowedFrameDomains(array $allowedFrameDomains) {
+	public function setAllowedFrameDomains(array $allowedFrameDomains): void {
 		$this->allowedFrameDomains = $allowedFrameDomains;
 	}
 
-	/**
-	 * @return array
-	 */
 	public function getAllowedFontDomains(): array {
 		return $this->allowedFontDomains;
 	}
 
-	/**
-	 * @param array $allowedFontDomains
-	 */
-	public function setAllowedFontDomains($allowedFontDomains) {
+	public function setAllowedFontDomains($allowedFontDomains): void {
 		$this->allowedFontDomains = $allowedFontDomains;
 	}
 
 	/**
-	 * @return array
 	 * @deprecated 15.0.0 use FrameDomains and WorkerSrcDomains
 	 */
 	public function getAllowedChildSrcDomains(): array {
@@ -202,13 +126,10 @@ class ContentSecurityPolicy extends \OCP\AppFramework\Http\ContentSecurityPolicy
 	 * @param array $allowedChildSrcDomains
 	 * @deprecated 15.0.0 use FrameDomains and WorkerSrcDomains
 	 */
-	public function setAllowedChildSrcDomains($allowedChildSrcDomains) {
+	public function setAllowedChildSrcDomains($allowedChildSrcDomains): void {
 		$this->allowedChildSrcDomains = $allowedChildSrcDomains;
 	}
 
-	/**
-	 * @return array
-	 */
 	public function getAllowedFrameAncestors(): array {
 		return $this->allowedFrameAncestors;
 	}
@@ -216,7 +137,7 @@ class ContentSecurityPolicy extends \OCP\AppFramework\Http\ContentSecurityPolicy
 	/**
 	 * @param array $allowedFrameAncestors
 	 */
-	public function setAllowedFrameAncestors($allowedFrameAncestors) {
+	public function setAllowedFrameAncestors($allowedFrameAncestors): void {
 		$this->allowedFrameAncestors = $allowedFrameAncestors;
 	}
 
@@ -224,7 +145,7 @@ class ContentSecurityPolicy extends \OCP\AppFramework\Http\ContentSecurityPolicy
 		return $this->allowedWorkerSrcDomains;
 	}
 
-	public function setAllowedWorkerSrcDomains(array $allowedWorkerSrcDomains) {
+	public function setAllowedWorkerSrcDomains(array $allowedWorkerSrcDomains): void {
 		$this->allowedWorkerSrcDomains = $allowedWorkerSrcDomains;
 	}
 
@@ -241,21 +162,23 @@ class ContentSecurityPolicy extends \OCP\AppFramework\Http\ContentSecurityPolicy
 		return $this->reportTo;
 	}
 
-	public function setReportTo(array $reportTo) {
+	public function setReportTo(array $reportTo): void {
 		$this->reportTo = $reportTo;
 	}
 
-	/**
-	 * @return boolean
-	 */
 	public function isStrictDynamicAllowed(): bool {
 		return $this->strictDynamicAllowed;
 	}
 
-	/**
-	 * @param boolean $strictDynamicAllowed
-	 */
-	public function setStrictDynamicAllowed(bool $strictDynamicAllowed) {
+	public function setStrictDynamicAllowed(bool $strictDynamicAllowed): void {
 		$this->strictDynamicAllowed = $strictDynamicAllowed;
 	}
+
+	public function isStrictDynamicAllowedOnScripts(): bool {
+		return $this->strictDynamicAllowedOnScripts;
+	}
+
+	public function setStrictDynamicAllowedOnScripts(bool $strictDynamicAllowedOnScripts): void {
+		$this->strictDynamicAllowedOnScripts = $strictDynamicAllowedOnScripts;
+	}
 }
diff --git a/lib/private/Security/CSP/ContentSecurityPolicyManager.php b/lib/private/Security/CSP/ContentSecurityPolicyManager.php
index 4930dcb759c..e9d6b2945a8 100644
--- a/lib/private/Security/CSP/ContentSecurityPolicyManager.php
+++ b/lib/private/Security/CSP/ContentSecurityPolicyManager.php
@@ -3,27 +3,9 @@
 declare(strict_types=1);
 
 /**
- * @copyright Copyright (c) 2016, ownCloud, Inc.
- *
- * @author Christoph Wurst <christoph@winzerhof-wurst.at>
- * @author Lukas Reschke <lukas@statuscode.ch>
- * @author Morris Jobke <hey@morrisjobke.de>
- * @author Roeland Jago Douma <roeland@famdouma.nl>
- *
- * @license AGPL-3.0
- *
- * This code is free software: you can redistribute it and/or modify
- * it under the terms of the GNU Affero General Public License, version 3,
- * as published by the Free Software Foundation.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU Affero General Public License for more details.
- *
- * You should have received a copy of the GNU Affero General Public License, version 3,
- * along with this program. If not, see <http://www.gnu.org/licenses/>
- *
+ * SPDX-FileCopyrightText: 2016-2024 Nextcloud GmbH and Nextcloud contributors
+ * SPDX-FileCopyrightText: 2016 ownCloud, Inc.
+ * SPDX-License-Identifier: AGPL-3.0-only
  */
 namespace OC\Security\CSP;
 
@@ -35,25 +17,21 @@ use OCP\Security\IContentSecurityPolicyManager;
 
 class ContentSecurityPolicyManager implements IContentSecurityPolicyManager {
 	/** @var ContentSecurityPolicy[] */
-	private $policies = [];
+	private array $policies = [];
 
-	/** @var IEventDispatcher */
-	private $dispatcher;
-
-	public function __construct(IEventDispatcher $dispatcher) {
-		$this->dispatcher = $dispatcher;
+	public function __construct(
+		private IEventDispatcher $dispatcher,
+	) {
 	}
 
 	/** {@inheritdoc} */
-	public function addDefaultPolicy(EmptyContentSecurityPolicy $policy) {
+	public function addDefaultPolicy(EmptyContentSecurityPolicy $policy): void {
 		$this->policies[] = $policy;
 	}
 
 	/**
 	 * Get the configured default policy. This is not in the public namespace
 	 * as it is only supposed to be used by core itself.
-	 *
-	 * @return ContentSecurityPolicy
 	 */
 	public function getDefaultPolicy(): ContentSecurityPolicy {
 		$event = new AddContentSecurityPolicyEvent($this);
@@ -68,21 +46,19 @@ class ContentSecurityPolicyManager implements IContentSecurityPolicyManager {
 
 	/**
 	 * Merges the first given policy with the second one
-	 *
-	 * @param ContentSecurityPolicy $defaultPolicy
-	 * @param EmptyContentSecurityPolicy $originalPolicy
-	 * @return ContentSecurityPolicy
 	 */
-	public function mergePolicies(ContentSecurityPolicy $defaultPolicy,
-								  EmptyContentSecurityPolicy $originalPolicy): ContentSecurityPolicy {
+	public function mergePolicies(
+		ContentSecurityPolicy $defaultPolicy,
+		EmptyContentSecurityPolicy $originalPolicy,
+	): ContentSecurityPolicy {
 		foreach ((object)(array)$originalPolicy as $name => $value) {
-			$setter = 'set'.ucfirst($name);
+			$setter = 'set' . ucfirst($name);
 			if (\is_array($value)) {
-				$getter = 'get'.ucfirst($name);
+				$getter = 'get' . ucfirst($name);
 				$currentValues = \is_array($defaultPolicy->$getter()) ? $defaultPolicy->$getter() : [];
 				$defaultPolicy->$setter(array_values(array_unique(array_merge($currentValues, $value))));
 			} elseif (\is_bool($value)) {
-				$getter = 'is'.ucfirst($name);
+				$getter = 'is' . ucfirst($name);
 				$currentValue = $defaultPolicy->$getter();
 				// true wins over false
 				if ($value > $currentValue) {
diff --git a/lib/private/Security/CSP/ContentSecurityPolicyNonceManager.php b/lib/private/Security/CSP/ContentSecurityPolicyNonceManager.php
index 1167b3358d2..993f74ae0e4 100644
--- a/lib/private/Security/CSP/ContentSecurityPolicyNonceManager.php
+++ b/lib/private/Security/CSP/ContentSecurityPolicyNonceManager.php
@@ -3,30 +3,8 @@
 declare(strict_types=1);
 
 /**
- * @copyright Copyright (c) 2016 Lukas Reschke <lukas@statuscode.ch>
- *
- * @author Christoph Wurst <christoph@winzerhof-wurst.at>
- * @author Joas Schilling <coding@schilljs.com>
- * @author Lukas Reschke <lukas@statuscode.ch>
- * @author Pavel Krasikov <klonishe@gmail.com>
- * @author Roeland Jago Douma <roeland@famdouma.nl>
- * @author Sam Bull <aa6bs0@sambull.org>
- *
- * @license GNU AGPL version 3 or any later version
- *
- * This program is free software: you can redistribute it and/or modify
- * it under the terms of the GNU Affero General Public License as
- * published by the Free Software Foundation, either version 3 of the
- * License, or (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU Affero General Public License for more details.
- *
- * You should have received a copy of the GNU Affero General Public License
- * along with this program. If not, see <http://www.gnu.org/licenses/>.
- *
+ * SPDX-FileCopyrightText: 2016 Nextcloud GmbH and Nextcloud contributors
+ * SPDX-License-Identifier: AGPL-3.0-or-later
  */
 namespace OC\Security\CSP;
 
@@ -38,32 +16,25 @@ use OCP\IRequest;
  * @package OC\Security\CSP
  */
 class ContentSecurityPolicyNonceManager {
-	/** @var CsrfTokenManager */
-	private $csrfTokenManager;
-	/** @var IRequest */
-	private $request;
-	/** @var string */
-	private $nonce = '';
+	private string $nonce = '';
 
-	/**
-	 * @param CsrfTokenManager $csrfTokenManager
-	 * @param IRequest $request
-	 */
-	public function __construct(CsrfTokenManager $csrfTokenManager,
-								IRequest $request) {
-		$this->csrfTokenManager = $csrfTokenManager;
-		$this->request = $request;
+	public function __construct(
+		private CsrfTokenManager $csrfTokenManager,
+		private IRequest $request,
+	) {
 	}
 
 	/**
-	 * Returns the current CSP nounce
-	 *
-	 * @return string
+	 * Returns the current CSP nonce
 	 */
 	public function getNonce(): string {
 		if ($this->nonce === '') {
 			if (empty($this->request->server['CSP_NONCE'])) {
-				$this->nonce = base64_encode($this->csrfTokenManager->getToken()->getEncryptedValue());
+				// Get the token from the CSRF token, we only use the "shared secret" part
+				// as the first part does not add any security / entropy to the token
+				// so it can be ignored to keep the nonce short while keeping the same randomness
+				$csrfSecret = explode(':', ($this->csrfTokenManager->getToken()->getEncryptedValue()));
+				$this->nonce = end($csrfSecret);
 			} else {
 				$this->nonce = $this->request->server['CSP_NONCE'];
 			}
@@ -74,20 +45,16 @@ class ContentSecurityPolicyNonceManager {
 
 	/**
 	 * Check if the browser supports CSP v3
-	 *
-	 * @return bool
 	 */
 	public function browserSupportsCspV3(): bool {
-		$browserWhitelist = [
-			Request::USER_AGENT_CHROME,
-			Request::USER_AGENT_FIREFOX,
-			Request::USER_AGENT_SAFARI,
+		$browserBlocklist = [
+			Request::USER_AGENT_IE,
 		];
 
-		if ($this->request->isUserAgent($browserWhitelist)) {
-			return true;
+		if ($this->request->isUserAgent($browserBlocklist)) {
+			return false;
 		}
 
-		return false;
+		return true;
 	}
 }