diff options
Diffstat (limited to 'lib/public')
| -rw-r--r-- | lib/public/AppFramework/Http/ContentSecurityPolicy.php | 3 | ||||
| -rw-r--r-- | lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php | 33 |
2 files changed, 36 insertions, 0 deletions
diff --git a/lib/public/AppFramework/Http/ContentSecurityPolicy.php b/lib/public/AppFramework/Http/ContentSecurityPolicy.php index c705955bb8a..3445e8f8802 100644 --- a/lib/public/AppFramework/Http/ContentSecurityPolicy.php +++ b/lib/public/AppFramework/Http/ContentSecurityPolicy.php @@ -91,4 +91,7 @@ class ContentSecurityPolicy extends EmptyContentSecurityPolicy { /** @var array Domains which can embed this Nextcloud instance */ protected $allowedFrameAncestors = []; + + /** @var array Domains from which web-workers can be loaded */ + protected $allowedWorkerSrcDomains = []; } diff --git a/lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php b/lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php index 6397d32cb9c..ddc7918d094 100644 --- a/lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php +++ b/lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php @@ -73,6 +73,8 @@ class EmptyContentSecurityPolicy { protected $allowedChildSrcDomains = null; /** @var array Domains which can embed this Nextcloud instance */ protected $allowedFrameAncestors = null; + /** @var array Domains from which web-workers can be loaded */ + protected $allowedWorkerSrcDomains = null; /** * Whether inline JavaScript snippets are allowed or forbidden @@ -313,6 +315,7 @@ class EmptyContentSecurityPolicy { * @param string $domain Domain to whitelist. Any passed value needs to be properly sanitized. * @return $this * @since 8.1.0 + * @deprecated 15.0.0 use addAllowedWorkerSrcDomains or addAllowedFrameDomain */ public function addAllowedChildSrcDomain($domain) { $this->allowedChildSrcDomains[] = $domain; @@ -325,6 +328,7 @@ class EmptyContentSecurityPolicy { * @param string $domain * @return $this * @since 8.1.0 + * @deprecated 15.0.0 use the WorkerSrcDomains or FrameDomain */ public function disallowChildSrcDomain($domain) { $this->allowedChildSrcDomains = array_diff($this->allowedChildSrcDomains, [$domain]); @@ -356,6 +360,30 @@ class EmptyContentSecurityPolicy { } /** + * Domain from which workers can be loaded + * + * @param string $domain + * @return $this + * @since 15.0.0 + */ + public function addAllowedWorkerSrcDomain(string $domain) { + $this->allowedWorkerSrcDomains[] = $domain; + return $this; + } + + /** + * Remove domain from which workers can be loaded + * + * @param string $domain + * @return $this + * @since 15.0.0 + */ + public function disallowWorkerSrcDomain(string $domain) { + $this->allowedWorkerSrcDomains = array_diff($this->allowedWorkerSrcDomains, [$domain]); + return $this; + } + + /** * Get the generated Content-Security-Policy as a string * @return string * @since 8.1.0 @@ -439,6 +467,11 @@ class EmptyContentSecurityPolicy { $policy .= ';'; } + if (!empty($this->allowedWorkerSrcDomains)) { + $policy .= 'worker-src ' . implode(' ', $this->allowedWorkerSrcDomains); + $policy .= ';'; + } + return rtrim($policy, ';'); } } |