2015-02-09 18:30:01 +03:00
|
|
|
|
<?php
|
|
|
|
|
/**
|
2015-03-26 13:44:34 +03:00
|
|
|
|
* @author Lukas Reschke <lukas@owncloud.com>
|
|
|
|
|
* @author Morris Jobke <hey@morrisjobke.de>
|
|
|
|
|
*
|
|
|
|
|
* @copyright Copyright (c) 2015, ownCloud, Inc.
|
|
|
|
|
* @license AGPL-3.0
|
|
|
|
|
*
|
|
|
|
|
* This code is free software: you can redistribute it and/or modify
|
|
|
|
|
* it under the terms of the GNU Affero General Public License, version 3,
|
|
|
|
|
* as published by the Free Software Foundation.
|
|
|
|
|
*
|
|
|
|
|
* This program is distributed in the hope that it will be useful,
|
|
|
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
|
* GNU Affero General Public License for more details.
|
|
|
|
|
*
|
|
|
|
|
* You should have received a copy of the GNU Affero General Public License, version 3,
|
|
|
|
|
* along with this program. If not, see <http://www.gnu.org/licenses/>
|
|
|
|
|
*
|
2015-02-09 18:30:01 +03:00
|
|
|
|
*/
|
2015-02-26 13:37:37 +03:00
|
|
|
|
|
2015-02-09 18:30:01 +03:00
|
|
|
|
namespace OCP\AppFramework\Http;
|
|
|
|
|
|
|
|
|
|
use OCP\AppFramework\Http;
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Class ContentSecurityPolicy is a simple helper which allows applications to
|
|
|
|
|
* modify the Content-Security-Policy sent by ownCloud. Per default only JavaScript,
|
|
|
|
|
* stylesheets, images, fonts, media and connections from the same domain
|
|
|
|
|
* ('self') are allowed.
|
|
|
|
|
*
|
|
|
|
|
* Even if a value gets modified above defaults will still get appended. Please
|
|
|
|
|
* notice that ownCloud ships already with sensible defaults and those policies
|
|
|
|
|
* should require no modification at all for most use-cases.
|
|
|
|
|
*
|
|
|
|
|
* @package OCP\AppFramework\Http
|
2015-04-16 18:00:08 +03:00
|
|
|
|
* @since 8.1.0
|
2015-02-09 18:30:01 +03:00
|
|
|
|
*/
|
|
|
|
|
class ContentSecurityPolicy {
|
|
|
|
|
/** @var bool Whether inline JS snippets are allowed */
|
|
|
|
|
private $inlineScriptAllowed = false;
|
|
|
|
|
/**
|
|
|
|
|
* @var bool Whether eval in JS scripts is allowed
|
|
|
|
|
* TODO: Disallow per default
|
|
|
|
|
* @link https://github.com/owncloud/core/issues/11925
|
|
|
|
|
*/
|
|
|
|
|
private $evalScriptAllowed = true;
|
|
|
|
|
/** @var array Domains from which scripts can get loaded */
|
|
|
|
|
private $allowedScriptDomains = [
|
|
|
|
|
'\'self\'',
|
|
|
|
|
];
|
|
|
|
|
/**
|
|
|
|
|
* @var bool Whether inline CSS is allowed
|
|
|
|
|
* TODO: Disallow per default
|
|
|
|
|
* @link https://github.com/owncloud/core/issues/13458
|
|
|
|
|
*/
|
|
|
|
|
private $inlineStyleAllowed = true;
|
|
|
|
|
/** @var array Domains from which CSS can get loaded */
|
|
|
|
|
private $allowedStyleDomains = [
|
|
|
|
|
'\'self\'',
|
|
|
|
|
];
|
|
|
|
|
/** @var array Domains from which images can get loaded */
|
|
|
|
|
private $allowedImageDomains = [
|
|
|
|
|
'\'self\'',
|
2015-08-05 12:41:25 +03:00
|
|
|
|
'data:',
|
2015-09-29 15:18:12 +03:00
|
|
|
|
'blob:',
|
2015-02-09 18:30:01 +03:00
|
|
|
|
];
|
|
|
|
|
/** @var array Domains to which connections can be done */
|
|
|
|
|
private $allowedConnectDomains = [
|
|
|
|
|
'\'self\'',
|
|
|
|
|
];
|
|
|
|
|
/** @var array Domains from which media elements can be loaded */
|
|
|
|
|
private $allowedMediaDomains = [
|
|
|
|
|
'\'self\'',
|
|
|
|
|
];
|
|
|
|
|
/** @var array Domains from which object elements can be loaded */
|
|
|
|
|
private $allowedObjectDomains = [];
|
|
|
|
|
/** @var array Domains from which iframes can be loaded */
|
|
|
|
|
private $allowedFrameDomains = [];
|
|
|
|
|
/** @var array Domains from which fonts can be loaded */
|
|
|
|
|
private $allowedFontDomains = [
|
|
|
|
|
'\'self\'',
|
|
|
|
|
];
|
2015-02-26 14:54:15 +03:00
|
|
|
|
/** @var array Domains from which web-workers and nested browsing content can load elements */
|
|
|
|
|
private $allowedChildSrcDomains = [];
|
2015-02-09 18:30:01 +03:00
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Whether inline JavaScript snippets are allowed or forbidden
|
|
|
|
|
* @param bool $state
|
|
|
|
|
* @return $this
|
2015-04-16 18:00:08 +03:00
|
|
|
|
* @since 8.1.0
|
2015-02-09 18:30:01 +03:00
|
|
|
|
*/
|
|
|
|
|
public function allowInlineScript($state = false) {
|
|
|
|
|
$this->inlineScriptAllowed = $state;
|
|
|
|
|
return $this;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Whether eval in JavaScript is allowed or forbidden
|
|
|
|
|
* @param bool $state
|
|
|
|
|
* @return $this
|
2015-04-16 18:00:08 +03:00
|
|
|
|
* @since 8.1.0
|
2015-02-09 18:30:01 +03:00
|
|
|
|
*/
|
2015-02-16 14:30:21 +03:00
|
|
|
|
public function allowEvalScript($state = true) {
|
2015-05-20 12:44:37 +03:00
|
|
|
|
$this->evalScriptAllowed = $state;
|
2015-02-09 18:30:01 +03:00
|
|
|
|
return $this;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Allows to execute JavaScript files from a specific domain. Use * to
|
|
|
|
|
* allow JavaScript from all domains.
|
|
|
|
|
* @param string $domain Domain to whitelist. Any passed value needs to be properly sanitized.
|
|
|
|
|
* @return $this
|
2015-04-16 18:00:08 +03:00
|
|
|
|
* @since 8.1.0
|
2015-02-09 18:30:01 +03:00
|
|
|
|
*/
|
|
|
|
|
public function addAllowedScriptDomain($domain) {
|
|
|
|
|
$this->allowedScriptDomains[] = $domain;
|
|
|
|
|
return $this;
|
|
|
|
|
}
|
|
|
|
|
|
2015-05-20 12:44:37 +03:00
|
|
|
|
/**
|
|
|
|
|
* Remove the specified allowed script domain from the allowed domains.
|
|
|
|
|
*
|
|
|
|
|
* @param string $domain
|
|
|
|
|
* @return $this
|
|
|
|
|
* @since 8.1.0
|
|
|
|
|
*/
|
|
|
|
|
public function disallowScriptDomain($domain) {
|
|
|
|
|
$this->allowedScriptDomains = array_diff($this->allowedScriptDomains, [$domain]);
|
|
|
|
|
return $this;
|
|
|
|
|
}
|
|
|
|
|
|
2015-02-09 18:30:01 +03:00
|
|
|
|
/**
|
|
|
|
|
* Whether inline CSS snippets are allowed or forbidden
|
|
|
|
|
* @param bool $state
|
|
|
|
|
* @return $this
|
2015-04-16 18:00:08 +03:00
|
|
|
|
* @since 8.1.0
|
2015-02-09 18:30:01 +03:00
|
|
|
|
*/
|
|
|
|
|
public function allowInlineStyle($state = true) {
|
|
|
|
|
$this->inlineStyleAllowed = $state;
|
|
|
|
|
return $this;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Allows to execute CSS files from a specific domain. Use * to allow
|
|
|
|
|
* CSS from all domains.
|
|
|
|
|
* @param string $domain Domain to whitelist. Any passed value needs to be properly sanitized.
|
|
|
|
|
* @return $this
|
2015-04-16 18:00:08 +03:00
|
|
|
|
* @since 8.1.0
|
2015-02-09 18:30:01 +03:00
|
|
|
|
*/
|
|
|
|
|
public function addAllowedStyleDomain($domain) {
|
|
|
|
|
$this->allowedStyleDomains[] = $domain;
|
|
|
|
|
return $this;
|
|
|
|
|
}
|
|
|
|
|
|
2015-05-20 12:44:37 +03:00
|
|
|
|
/**
|
|
|
|
|
* Remove the specified allowed style domain from the allowed domains.
|
|
|
|
|
*
|
|
|
|
|
* @param string $domain
|
|
|
|
|
* @return $this
|
|
|
|
|
* @since 8.1.0
|
|
|
|
|
*/
|
|
|
|
|
public function disallowStyleDomain($domain) {
|
|
|
|
|
$this->allowedStyleDomains = array_diff($this->allowedStyleDomains, [$domain]);
|
|
|
|
|
return $this;
|
|
|
|
|
}
|
|
|
|
|
|
2015-02-09 18:30:01 +03:00
|
|
|
|
/**
|
|
|
|
|
* Allows using fonts from a specific domain. Use * to allow
|
|
|
|
|
* fonts from all domains.
|
|
|
|
|
* @param string $domain Domain to whitelist. Any passed value needs to be properly sanitized.
|
|
|
|
|
* @return $this
|
2015-04-16 18:00:08 +03:00
|
|
|
|
* @since 8.1.0
|
2015-02-09 18:30:01 +03:00
|
|
|
|
*/
|
|
|
|
|
public function addAllowedFontDomain($domain) {
|
|
|
|
|
$this->allowedFontDomains[] = $domain;
|
|
|
|
|
return $this;
|
|
|
|
|
}
|
|
|
|
|
|
2015-05-20 12:44:37 +03:00
|
|
|
|
/**
|
|
|
|
|
* Remove the specified allowed font domain from the allowed domains.
|
|
|
|
|
*
|
|
|
|
|
* @param string $domain
|
|
|
|
|
* @return $this
|
|
|
|
|
* @since 8.1.0
|
|
|
|
|
*/
|
|
|
|
|
public function disallowFontDomain($domain) {
|
|
|
|
|
$this->allowedFontDomains = array_diff($this->allowedFontDomains, [$domain]);
|
|
|
|
|
return $this;
|
|
|
|
|
}
|
|
|
|
|
|
2015-02-09 18:30:01 +03:00
|
|
|
|
/**
|
|
|
|
|
* Allows embedding images from a specific domain. Use * to allow
|
|
|
|
|
* images from all domains.
|
|
|
|
|
* @param string $domain Domain to whitelist. Any passed value needs to be properly sanitized.
|
|
|
|
|
* @return $this
|
2015-04-16 18:00:08 +03:00
|
|
|
|
* @since 8.1.0
|
2015-02-09 18:30:01 +03:00
|
|
|
|
*/
|
|
|
|
|
public function addAllowedImageDomain($domain) {
|
|
|
|
|
$this->allowedImageDomains[] = $domain;
|
|
|
|
|
return $this;
|
|
|
|
|
}
|
|
|
|
|
|
2015-05-20 12:44:37 +03:00
|
|
|
|
/**
|
|
|
|
|
* Remove the specified allowed image domain from the allowed domains.
|
|
|
|
|
*
|
|
|
|
|
* @param string $domain
|
|
|
|
|
* @return $this
|
|
|
|
|
* @since 8.1.0
|
|
|
|
|
*/
|
|
|
|
|
public function disallowImageDomain($domain) {
|
|
|
|
|
$this->allowedImageDomains = array_diff($this->allowedImageDomains, [$domain]);
|
|
|
|
|
return $this;
|
|
|
|
|
}
|
|
|
|
|
|
2015-02-09 18:30:01 +03:00
|
|
|
|
/**
|
|
|
|
|
* To which remote domains the JS connect to.
|
|
|
|
|
* @param string $domain Domain to whitelist. Any passed value needs to be properly sanitized.
|
|
|
|
|
* @return $this
|
2015-04-16 18:00:08 +03:00
|
|
|
|
* @since 8.1.0
|
2015-02-09 18:30:01 +03:00
|
|
|
|
*/
|
|
|
|
|
public function addAllowedConnectDomain($domain) {
|
|
|
|
|
$this->allowedConnectDomains[] = $domain;
|
|
|
|
|
return $this;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
2015-05-20 12:44:37 +03:00
|
|
|
|
* Remove the specified allowed connect domain from the allowed domains.
|
|
|
|
|
*
|
|
|
|
|
* @param string $domain
|
|
|
|
|
* @return $this
|
|
|
|
|
* @since 8.1.0
|
|
|
|
|
*/
|
|
|
|
|
public function disallowConnectDomain($domain) {
|
|
|
|
|
$this->allowedConnectDomains = array_diff($this->allowedConnectDomains, [$domain]);
|
|
|
|
|
return $this;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* From which domains media elements can be embedded.
|
2015-02-09 18:30:01 +03:00
|
|
|
|
* @param string $domain Domain to whitelist. Any passed value needs to be properly sanitized.
|
|
|
|
|
* @return $this
|
2015-04-16 18:00:08 +03:00
|
|
|
|
* @since 8.1.0
|
2015-02-09 18:30:01 +03:00
|
|
|
|
*/
|
|
|
|
|
public function addAllowedMediaDomain($domain) {
|
|
|
|
|
$this->allowedMediaDomains[] = $domain;
|
|
|
|
|
return $this;
|
|
|
|
|
}
|
|
|
|
|
|
2015-05-20 12:44:37 +03:00
|
|
|
|
/**
|
|
|
|
|
* Remove the specified allowed media domain from the allowed domains.
|
|
|
|
|
*
|
|
|
|
|
* @param string $domain
|
|
|
|
|
* @return $this
|
|
|
|
|
* @since 8.1.0
|
|
|
|
|
*/
|
|
|
|
|
public function disallowMediaDomain($domain) {
|
|
|
|
|
$this->allowedMediaDomains = array_diff($this->allowedMediaDomains, [$domain]);
|
|
|
|
|
return $this;
|
|
|
|
|
}
|
|
|
|
|
|
2015-02-09 18:30:01 +03:00
|
|
|
|
/**
|
|
|
|
|
* From which domains objects such as <object>, <embed> or <applet> are executed
|
|
|
|
|
* @param string $domain Domain to whitelist. Any passed value needs to be properly sanitized.
|
|
|
|
|
* @return $this
|
2015-04-16 18:00:08 +03:00
|
|
|
|
* @since 8.1.0
|
2015-02-09 18:30:01 +03:00
|
|
|
|
*/
|
|
|
|
|
public function addAllowedObjectDomain($domain) {
|
|
|
|
|
$this->allowedObjectDomains[] = $domain;
|
|
|
|
|
return $this;
|
|
|
|
|
}
|
|
|
|
|
|
2015-05-20 12:44:37 +03:00
|
|
|
|
/**
|
|
|
|
|
* Remove the specified allowed object domain from the allowed domains.
|
|
|
|
|
*
|
|
|
|
|
* @param string $domain
|
|
|
|
|
* @return $this
|
|
|
|
|
* @since 8.1.0
|
|
|
|
|
*/
|
|
|
|
|
public function disallowObjectDomain($domain) {
|
|
|
|
|
$this->allowedObjectDomains = array_diff($this->allowedObjectDomains, [$domain]);
|
|
|
|
|
return $this;
|
|
|
|
|
}
|
|
|
|
|
|
2015-02-09 18:30:01 +03:00
|
|
|
|
/**
|
|
|
|
|
* Which domains can be embedded in an iframe
|
|
|
|
|
* @param string $domain Domain to whitelist. Any passed value needs to be properly sanitized.
|
|
|
|
|
* @return $this
|
2015-04-16 18:00:08 +03:00
|
|
|
|
* @since 8.1.0
|
2015-02-09 18:30:01 +03:00
|
|
|
|
*/
|
|
|
|
|
public function addAllowedFrameDomain($domain) {
|
|
|
|
|
$this->allowedFrameDomains[] = $domain;
|
|
|
|
|
return $this;
|
|
|
|
|
}
|
|
|
|
|
|
2015-05-20 12:44:37 +03:00
|
|
|
|
/**
|
|
|
|
|
* Remove the specified allowed frame domain from the allowed domains.
|
|
|
|
|
*
|
|
|
|
|
* @param string $domain
|
|
|
|
|
* @return $this
|
|
|
|
|
* @since 8.1.0
|
|
|
|
|
*/
|
|
|
|
|
public function disallowFrameDomain($domain) {
|
|
|
|
|
$this->allowedFrameDomains = array_diff($this->allowedFrameDomains, [$domain]);
|
|
|
|
|
return $this;
|
|
|
|
|
}
|
|
|
|
|
|
2015-02-26 14:54:15 +03:00
|
|
|
|
/**
|
|
|
|
|
* Domains from which web-workers and nested browsing content can load elements
|
|
|
|
|
* @param string $domain Domain to whitelist. Any passed value needs to be properly sanitized.
|
|
|
|
|
* @return $this
|
2015-04-16 18:00:08 +03:00
|
|
|
|
* @since 8.1.0
|
2015-02-26 14:54:15 +03:00
|
|
|
|
*/
|
|
|
|
|
public function addAllowedChildSrcDomain($domain) {
|
|
|
|
|
$this->allowedChildSrcDomains[] = $domain;
|
|
|
|
|
return $this;
|
|
|
|
|
}
|
|
|
|
|
|
2015-05-20 12:44:37 +03:00
|
|
|
|
/**
|
|
|
|
|
* Remove the specified allowed child src domain from the allowed domains.
|
|
|
|
|
*
|
|
|
|
|
* @param string $domain
|
|
|
|
|
* @return $this
|
|
|
|
|
* @since 8.1.0
|
|
|
|
|
*/
|
|
|
|
|
public function disallowChildSrcDomain($domain) {
|
|
|
|
|
$this->allowedChildSrcDomains = array_diff($this->allowedChildSrcDomains, [$domain]);
|
|
|
|
|
return $this;
|
|
|
|
|
}
|
|
|
|
|
|
2015-02-09 18:30:01 +03:00
|
|
|
|
/**
|
|
|
|
|
* Get the generated Content-Security-Policy as a string
|
|
|
|
|
* @return string
|
2015-04-16 18:00:08 +03:00
|
|
|
|
* @since 8.1.0
|
2015-02-09 18:30:01 +03:00
|
|
|
|
*/
|
|
|
|
|
public function buildPolicy() {
|
|
|
|
|
$policy = "default-src 'none';";
|
|
|
|
|
|
|
|
|
|
if(!empty($this->allowedScriptDomains)) {
|
|
|
|
|
$policy .= 'script-src ' . implode(' ', $this->allowedScriptDomains);
|
|
|
|
|
if($this->inlineScriptAllowed) {
|
|
|
|
|
$policy .= ' \'unsafe-inline\'';
|
|
|
|
|
}
|
|
|
|
|
if($this->evalScriptAllowed) {
|
|
|
|
|
$policy .= ' \'unsafe-eval\'';
|
|
|
|
|
}
|
|
|
|
|
$policy .= ';';
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if(!empty($this->allowedStyleDomains)) {
|
|
|
|
|
$policy .= 'style-src ' . implode(' ', $this->allowedStyleDomains);
|
|
|
|
|
if($this->inlineStyleAllowed) {
|
|
|
|
|
$policy .= ' \'unsafe-inline\'';
|
|
|
|
|
}
|
|
|
|
|
$policy .= ';';
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if(!empty($this->allowedImageDomains)) {
|
|
|
|
|
$policy .= 'img-src ' . implode(' ', $this->allowedImageDomains);
|
|
|
|
|
$policy .= ';';
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if(!empty($this->allowedFontDomains)) {
|
|
|
|
|
$policy .= 'font-src ' . implode(' ', $this->allowedFontDomains);
|
|
|
|
|
$policy .= ';';
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if(!empty($this->allowedConnectDomains)) {
|
|
|
|
|
$policy .= 'connect-src ' . implode(' ', $this->allowedConnectDomains);
|
|
|
|
|
$policy .= ';';
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if(!empty($this->allowedMediaDomains)) {
|
|
|
|
|
$policy .= 'media-src ' . implode(' ', $this->allowedMediaDomains);
|
|
|
|
|
$policy .= ';';
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if(!empty($this->allowedObjectDomains)) {
|
|
|
|
|
$policy .= 'object-src ' . implode(' ', $this->allowedObjectDomains);
|
|
|
|
|
$policy .= ';';
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if(!empty($this->allowedFrameDomains)) {
|
|
|
|
|
$policy .= 'frame-src ' . implode(' ', $this->allowedFrameDomains);
|
|
|
|
|
$policy .= ';';
|
|
|
|
|
}
|
|
|
|
|
|
2015-02-26 14:54:15 +03:00
|
|
|
|
if(!empty($this->allowedChildSrcDomains)) {
|
|
|
|
|
$policy .= 'child-src ' . implode(' ', $this->allowedChildSrcDomains);
|
|
|
|
|
$policy .= ';';
|
|
|
|
|
}
|
|
|
|
|
|
2015-02-09 18:30:01 +03:00
|
|
|
|
return rtrim($policy, ';');
|
|
|
|
|
}
|
|
|
|
|
}
|