Merge pull request #11040 from nextcloud/feature/11035/worker-src

Add worker-src to CSP

lib/private/Security/CSP/ContentSecurityPolicy.php

@@ -187,6 +187,7 @@ class ContentSecurityPolicy extends \OCP\AppFramework\Http\ContentSecurityPolicy
 
 	/**
 	 * @return array
+	 * @deprecated 15.0.0 use FrameDomains and WorkerSrcDomains
 	 */
 	public function getAllowedChildSrcDomains(): array {
 		return $this->allowedChildSrcDomains;
@@ -194,6 +195,7 @@ class ContentSecurityPolicy extends \OCP\AppFramework\Http\ContentSecurityPolicy
 
 	/**
 	 * @param array $allowedChildSrcDomains
+	 * @deprecated 15.0.0 use FrameDomains and WorkerSrcDomains
 	 */
 	public function setAllowedChildSrcDomains($allowedChildSrcDomains) {
 		$this->allowedChildSrcDomains = $allowedChildSrcDomains;
@@ -213,4 +215,12 @@ class ContentSecurityPolicy extends \OCP\AppFramework\Http\ContentSecurityPolicy
 		$this->allowedFrameAncestors = $allowedFrameAncestors;
 	}
 
+	public function getAllowedWorkerSrcDomains(): array {
+		return $this->allowedWorkerSrcDomains;
+	}
+
+	public function setAllowedWorkerSrcDomains(array $allowedWorkerSrcDomains) {
+		$this->allowedWorkerSrcDomains = $allowedWorkerSrcDomains;
+	}
+
 }

lib/public/AppFramework/Http/ContentSecurityPolicy.php

@@ -91,4 +91,7 @@ class ContentSecurityPolicy extends EmptyContentSecurityPolicy {
 
 	/** @var array Domains which can embed this Nextcloud instance */
 	protected $allowedFrameAncestors = [];
+
+	/** @var array Domains from which web-workers can be loaded */
+	protected $allowedWorkerSrcDomains = [];
 }

lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php

@@ -73,6 +73,8 @@ class EmptyContentSecurityPolicy {
 	protected $allowedChildSrcDomains = null;
 	/** @var array Domains which can embed this Nextcloud instance */
 	protected $allowedFrameAncestors = null;
+	/** @var array Domains from which web-workers can be loaded */
+	protected $allowedWorkerSrcDomains = null;
 
 	/**
 	 * Whether inline JavaScript snippets are allowed or forbidden
@@ -313,6 +315,7 @@ class EmptyContentSecurityPolicy {
 	 * @param string $domain Domain to whitelist. Any passed value needs to be properly sanitized.
 	 * @return $this
 	 * @since 8.1.0
+	 * @deprecated 15.0.0 use addAllowedWorkerSrcDomains or addAllowedFrameDomain
 	 */
 	public function addAllowedChildSrcDomain($domain) {
 		$this->allowedChildSrcDomains[] = $domain;
@@ -325,6 +328,7 @@ class EmptyContentSecurityPolicy {
 	 * @param string $domain
 	 * @return $this
 	 * @since 8.1.0
+	 * @deprecated 15.0.0 use the WorkerSrcDomains or FrameDomain
 	 */
 	public function disallowChildSrcDomain($domain) {
 		$this->allowedChildSrcDomains = array_diff($this->allowedChildSrcDomains, [$domain]);
@@ -355,6 +359,30 @@ class EmptyContentSecurityPolicy {
 		return $this;
 	}
 
+	/**
+	 * Domain from which workers can be loaded
+	 *
+	 * @param string $domain
+	 * @return $this
+	 * @since 15.0.0
+	 */
+	public function addAllowedWorkerSrcDomain(string $domain) {
+		$this->allowedWorkerSrcDomains[] = $domain;
+		return $this;
+	}
+
+	/**
+	 * Remove domain from which workers can be loaded
+	 *
+	 * @param string $domain
+	 * @return $this
+	 * @since 15.0.0
+	 */
+	public function disallowWorkerSrcDomain(string $domain) {
+		$this->allowedWorkerSrcDomains = array_diff($this->allowedWorkerSrcDomains, [$domain]);
+		return $this;
+	}
+
 	/**
 	 * Get the generated Content-Security-Policy as a string
 	 * @return string
@@ -439,6 +467,11 @@ class EmptyContentSecurityPolicy {
 			$policy .= ';';
 		}
 
+		if (!empty($this->allowedWorkerSrcDomains)) {
+			$policy .= 'worker-src ' . implode(' ', $this->allowedWorkerSrcDomains);
+			$policy .= ';';
+		}
+
 		return rtrim($policy, ';');
 	}
 }