summaryrefslogtreecommitdiffstats
path: root/lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php
diff options
context:
space:
mode:
Diffstat (limited to 'lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php')
-rw-r--r--lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php30
1 files changed, 30 insertions, 0 deletions
diff --git a/lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php b/lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php
index 0a77e27d8c0..de892aacf26 100644
--- a/lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php
+++ b/lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php
@@ -75,6 +75,8 @@ class EmptyContentSecurityPolicy {
protected $allowedFrameAncestors = null;
/** @var array Domains from which web-workers can be loaded */
protected $allowedWorkerSrcDomains = null;
+ /** @var array Domains which can be used as target for forms */
+ protected $allowedFormActionDomains = null;
/** @var array Locations to report violations to */
protected $reportTo = null;
@@ -387,6 +389,29 @@ class EmptyContentSecurityPolicy {
}
/**
+ * Domain to where forms can submit
+ *
+ * @since 17.0.0
+ *
+ * @return $this
+ */
+ public function addAllowedFormActionDomain(string $domain) {
+ $this->allowedFormActionDomains[] = $domain;
+ return $this;
+ }
+
+ /**
+ * Remove domain to where forms can submit
+ *
+ * @return $this
+ * @since 17.0.0
+ */
+ public function disallowFormActionDomain(string $domain) {
+ $this->allowedFormActionDomains = array_diff($this->allowedFormActionDomains, [$domain]);
+ return $this;
+ }
+
+ /**
* Add location to report CSP violations to
*
* @param string $location
@@ -491,6 +516,11 @@ class EmptyContentSecurityPolicy {
$policy .= ';';
}
+ if (!empty($this->allowedFormActionDomains)) {
+ $policy .= 'form-action ' . implode(' ', $this->allowedFormActionDomains);
+ $policy .= ';';
+ }
+
if (!empty($this->reportTo)) {
$policy .= 'report-uri ' . implode(' ', $this->reportTo);
$policy .= ';';