mbk-lab
/
nextcloud
2
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Merge pull request #14534 from owncloud/add-child-src 

Add support for 'child-src' directive
This commit is contained in:
Thomas Müller 2015-03-10 10:30:44 +01:00
parent e069d9d3f9 b29940d956
commit 214fa44400
2 changed files with 34 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
lib/public/appframework/http/contentsecuritypolicy.php
View File

@ -65,6 +65,8 @@ class ContentSecurityPolicy {
private $allowedFontDomains = [ private $allowedFontDomains = [
'\'self\'', '\'self\'',
]; ];
/** @var array Domains from which web-workers and nested browsing content can load elements */
private $allowedChildSrcDomains = [];
/** /**
* Whether inline JavaScript snippets are allowed or forbidden * Whether inline JavaScript snippets are allowed or forbidden
@ -180,6 +182,16 @@ class ContentSecurityPolicy {
return $this; return $this;
} }
/**
* Domains from which web-workers and nested browsing content can load elements
* @param string $domain Domain to whitelist. Any passed value needs to be properly sanitized.
* @return $this
*/
public function addAllowedChildSrcDomain($domain) {
$this->allowedChildSrcDomains[] = $domain;
return $this;
}
/** /**
* Get the generated Content-Security-Policy as a string * Get the generated Content-Security-Policy as a string
* @return string * @return string
@ -236,6 +248,11 @@ class ContentSecurityPolicy {
$policy .= ';'; $policy .= ';';
} }
if(!empty($this->allowedChildSrcDomains)) {
$policy .= 'child-src ' . implode(' ', $this->allowedChildSrcDomains);
$policy .= ';';
}
return rtrim($policy, ';'); return rtrim($policy, ';');
} }
} }

19
tests/lib/appframework/http/ContentSecurityPolicyTest.php
View File

@ -181,7 +181,6 @@ class ContentSecurityPolicyTest extends \Test\TestCase {
$this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy()); $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
} }
public function testGetAllowedFrameDomain() { public function testGetAllowedFrameDomain() {
$expectedPolicy = "default-src 'none';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self';font-src 'self';connect-src 'self';media-src 'self';frame-src www.owncloud.com"; $expectedPolicy = "default-src 'none';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self';font-src 'self';connect-src 'self';media-src 'self';frame-src www.owncloud.com";
@ -197,8 +196,23 @@ class ContentSecurityPolicyTest extends \Test\TestCase {
$this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy()); $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
} }
public function testGetAllowedChildSrcDomain() {
$expectedPolicy = "default-src 'none';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self';font-src 'self';connect-src 'self';media-src 'self';child-src child.owncloud.com";
$this->contentSecurityPolicy->addAllowedChildSrcDomain('child.owncloud.com');
$this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
}
public function testGetPolicyChildSrcValidMultiple() {
$expectedPolicy = "default-src 'none';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self';font-src 'self';connect-src 'self';media-src 'self';child-src child.owncloud.com child.owncloud.org";
$this->contentSecurityPolicy->addAllowedChildSrcDomain('child.owncloud.com');
$this->contentSecurityPolicy->addAllowedChildSrcDomain('child.owncloud.org');
$this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
}
public function testConfigureStacked() { public function testConfigureStacked() {
$expectedPolicy = "default-src 'none';script-src 'self' script.owncloud.org;style-src 'self' style.owncloud.org;img-src 'self' img.owncloud.org;font-src 'self' font.owncloud.org;connect-src 'self' connect.owncloud.org;media-src 'self' media.owncloud.org;object-src objects.owncloud.org;frame-src frame.owncloud.org"; $expectedPolicy = "default-src 'none';script-src 'self' script.owncloud.org;style-src 'self' style.owncloud.org;img-src 'self' img.owncloud.org;font-src 'self' font.owncloud.org;connect-src 'self' connect.owncloud.org;media-src 'self' media.owncloud.org;object-src objects.owncloud.org;frame-src frame.owncloud.org;child-src child.owncloud.org";
$this->contentSecurityPolicy->allowInlineStyle(false) $this->contentSecurityPolicy->allowInlineStyle(false)
->allowEvalScript(false) ->allowEvalScript(false)
@ -209,6 +223,7 @@ class ContentSecurityPolicyTest extends \Test\TestCase {
->addAllowedConnectDomain('connect.owncloud.org') ->addAllowedConnectDomain('connect.owncloud.org')
->addAllowedMediaDomain('media.owncloud.org') ->addAllowedMediaDomain('media.owncloud.org')
->addAllowedObjectDomain('objects.owncloud.org') ->addAllowedObjectDomain('objects.owncloud.org')
->addAllowedChildSrcDomain('child.owncloud.org')
->addAllowedFrameDomain('frame.owncloud.org'); ->addAllowedFrameDomain('frame.owncloud.org');
$this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy()); $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
} }