Merge pull request #11914 from nextcloud/csp/report-uri
Add report-uri to CSP
This commit is contained in:
commit
39338aaa67
|
@ -223,4 +223,12 @@ class ContentSecurityPolicy extends \OCP\AppFramework\Http\ContentSecurityPolicy
|
||||||
$this->allowedWorkerSrcDomains = $allowedWorkerSrcDomains;
|
$this->allowedWorkerSrcDomains = $allowedWorkerSrcDomains;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public function getReportTo(): array {
|
||||||
|
return $this->reportTo;
|
||||||
|
}
|
||||||
|
|
||||||
|
public function setReportTo(array $reportTo) {
|
||||||
|
$this->reportTo = $reportTo;
|
||||||
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -90,4 +90,7 @@ class ContentSecurityPolicy extends EmptyContentSecurityPolicy {
|
||||||
|
|
||||||
/** @var array Domains from which web-workers can be loaded */
|
/** @var array Domains from which web-workers can be loaded */
|
||||||
protected $allowedWorkerSrcDomains = [];
|
protected $allowedWorkerSrcDomains = [];
|
||||||
|
|
||||||
|
/** @var array Locations to report violations to */
|
||||||
|
protected $reportTo = [];
|
||||||
}
|
}
|
||||||
|
|
|
@ -76,6 +76,9 @@ class EmptyContentSecurityPolicy {
|
||||||
/** @var array Domains from which web-workers can be loaded */
|
/** @var array Domains from which web-workers can be loaded */
|
||||||
protected $allowedWorkerSrcDomains = null;
|
protected $allowedWorkerSrcDomains = null;
|
||||||
|
|
||||||
|
/** @var array Locations to report violations to */
|
||||||
|
protected $reportTo = null;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Whether inline JavaScript snippets are allowed or forbidden
|
* Whether inline JavaScript snippets are allowed or forbidden
|
||||||
* @param bool $state
|
* @param bool $state
|
||||||
|
@ -383,6 +386,18 @@ class EmptyContentSecurityPolicy {
|
||||||
return $this;
|
return $this;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Add location to report CSP violations to
|
||||||
|
*
|
||||||
|
* @param string $location
|
||||||
|
* @return $this
|
||||||
|
* @since 15.0.0
|
||||||
|
*/
|
||||||
|
public function addReportTo(string $location) {
|
||||||
|
$this->reportTo[] = $location;
|
||||||
|
return $this;
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Get the generated Content-Security-Policy as a string
|
* Get the generated Content-Security-Policy as a string
|
||||||
* @return string
|
* @return string
|
||||||
|
@ -472,6 +487,11 @@ class EmptyContentSecurityPolicy {
|
||||||
$policy .= ';';
|
$policy .= ';';
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (!empty($this->reportTo)) {
|
||||||
|
$policy .= 'report-uri ' . implode(' ', $this->reportTo);
|
||||||
|
$policy .= ';';
|
||||||
|
}
|
||||||
|
|
||||||
return rtrim($policy, ';');
|
return rtrim($policy, ';');
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -451,4 +451,19 @@ class EmptyContentSecurityPolicyTest extends \Test\TestCase {
|
||||||
$this->contentSecurityPolicy->addAllowedScriptDomain("'self'");
|
$this->contentSecurityPolicy->addAllowedScriptDomain("'self'");
|
||||||
$this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
|
$this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public function testGetPolicyWithReportUri() {
|
||||||
|
$expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';report-uri https://my-report-uri.com";
|
||||||
|
|
||||||
|
$this->contentSecurityPolicy->addReportTo("https://my-report-uri.com");
|
||||||
|
$this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
|
||||||
|
}
|
||||||
|
|
||||||
|
public function testGetPolicyWithMultipleReportUri() {
|
||||||
|
$expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';report-uri https://my-report-uri.com https://my-other-report-uri.com";
|
||||||
|
|
||||||
|
$this->contentSecurityPolicy->addReportTo("https://my-report-uri.com");
|
||||||
|
$this->contentSecurityPolicy->addReportTo("https://my-other-report-uri.com");
|
||||||
|
$this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue