From df67a04385e64d2e14a7c0385289904d04b53301 Mon Sep 17 00:00:00 2001 From: Lukas Reschke Date: Sun, 13 Apr 2014 11:51:03 +0200 Subject: [PATCH 1/5] Move security headers to base.php Some headers were currently only added to the templates but not to other components (e.g. SabreDAV / JSON / etc...) The migration to base.php ensures that the headers are served to all requests passing base.php --- lib/base.php | 31 +++++++++++++++++++++++++++++++ lib/private/template.php | 26 +------------------------- 2 files changed, 32 insertions(+), 25 deletions(-) diff --git a/lib/base.php b/lib/base.php index 6ea77aa7a5..34baba69d4 100644 --- a/lib/base.php +++ b/lib/base.php @@ -213,6 +213,36 @@ class OC { } } + /* + * This function adds some security related headers to all requests + * served via base.php + * The implementation of this function as to happen here to ensure that + * all third-party components (e.g. SabreDAV) also benefit from this + * headers + */ + public static function addSecurityHeaders() { + header('X-XSS-Protection: 1; mode=block'); // Enforce browser based XSS filters + header('X-Content-Type-Options: nosniff'); // Disable sniffing the content type for IE + + // iFrame Restriction Policy + $xFramePolicy = OC_Config::getValue('xframe_restriction', true); + if($xFramePolicy) { + header('X-Frame-Options: Sameorigin'); // Disallow iFraming from other domains + } + + // Content Security Policy + // If you change the standard policy, please also change it in config.sample.php + $policy = OC_Config::getValue('custom_csp_policy', + 'default-src \'self\'; ' + .'script-src \'self\' \'unsafe-eval\'; ' + .'style-src \'self\' \'unsafe-inline\'; ' + .'frame-src *; ' + .'img-src *; ' + .'font-src \'self\' data:; ' + .'media-src *'); + header('Content-Security-Policy:'.$policy); + } + public static function checkSSL() { // redirect to https site if configured if (OC_Config::getValue("forcessl", false)) { @@ -512,6 +542,7 @@ class OC { self::checkConfig(); self::checkInstalled(); self::checkSSL(); + self::addSecurityHeaders(); $errors = OC_Util::checkServer(); if (count($errors) > 0) { diff --git a/lib/private/template.php b/lib/private/template.php index c6851c6cc8..b7db569095 100644 --- a/lib/private/template.php +++ b/lib/private/template.php @@ -64,31 +64,7 @@ class OC_Template extends \OC\Template\Base { $this->path = $path; parent::__construct($template, $requesttoken, $l10n, $themeDefaults); - - // Some headers to enhance security - header('X-XSS-Protection: 1; mode=block'); // Enforce browser based XSS filters - header('X-Content-Type-Options: nosniff'); // Disable sniffing the content type for IE - - // iFrame Restriction Policy - $xFramePolicy = OC_Config::getValue('xframe_restriction', true); - if($xFramePolicy) { - header('X-Frame-Options: Sameorigin'); // Disallow iFraming from other domains - } - - // Content Security Policy - // If you change the standard policy, please also change it in config.sample.php - $policy = OC_Config::getValue('custom_csp_policy', - 'default-src \'self\'; ' - .'script-src \'self\' \'unsafe-eval\'; ' - .'style-src \'self\' \'unsafe-inline\'; ' - .'frame-src *; ' - .'img-src *; ' - .'font-src \'self\' data:; ' - .'media-src *'); - header('Content-Security-Policy:'.$policy); // Standard - - } - +} /** * autodetect the formfactor of the used device * default -> the normal desktop browser interface From a2a850dd91664cbfeba50186d5219d90d62eadd2 Mon Sep 17 00:00:00 2001 From: Lukas Reschke Date: Sun, 13 Apr 2014 11:52:31 +0200 Subject: [PATCH 2/5] Fix indentation --- lib/private/template.php | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/lib/private/template.php b/lib/private/template.php index b7db569095..610d5fbc8e 100644 --- a/lib/private/template.php +++ b/lib/private/template.php @@ -64,7 +64,8 @@ class OC_Template extends \OC\Template\Base { $this->path = $path; parent::__construct($template, $requesttoken, $l10n, $themeDefaults); -} + } + /** * autodetect the formfactor of the used device * default -> the normal desktop browser interface From b04d95b1160673dbaa80ce214f22e931e8c93178 Mon Sep 17 00:00:00 2001 From: Lukas Reschke Date: Sun, 13 Apr 2014 12:48:16 +0200 Subject: [PATCH 3/5] Remove uneeded usages of nosniff --- lib/private/json.php | 2 -- lib/public/appframework/http/jsonresponse.php | 1 - tests/lib/appframework/http/JSONResponseTest.php | 7 ------- 3 files changed, 10 deletions(-) diff --git a/lib/private/json.php b/lib/private/json.php index 4ccdb490a6..34f81c3b8c 100644 --- a/lib/private/json.php +++ b/lib/private/json.php @@ -119,8 +119,6 @@ class OC_JSON{ * Encode and print $data in json format */ public static function encodedPrint($data, $setContentType=true) { - // Disable mimesniffing, don't move this to setContentTypeHeader! - header( 'X-Content-Type-Options: nosniff' ); if($setContentType) { self::setContentTypeHeader(); } diff --git a/lib/public/appframework/http/jsonresponse.php b/lib/public/appframework/http/jsonresponse.php index 6628c4514d..6d029b7464 100644 --- a/lib/public/appframework/http/jsonresponse.php +++ b/lib/public/appframework/http/jsonresponse.php @@ -49,7 +49,6 @@ class JSONResponse extends Response { public function __construct($data=array(), $statusCode=Http::STATUS_OK) { $this->data = $data; $this->setStatus($statusCode); - $this->addHeader('X-Content-Type-Options', 'nosniff'); $this->addHeader('Content-type', 'application/json; charset=utf-8'); } diff --git a/tests/lib/appframework/http/JSONResponseTest.php b/tests/lib/appframework/http/JSONResponseTest.php index b9b7c7d638..fbaae1b922 100644 --- a/tests/lib/appframework/http/JSONResponseTest.php +++ b/tests/lib/appframework/http/JSONResponseTest.php @@ -79,13 +79,6 @@ class JSONResponseTest extends \PHPUnit_Framework_TestCase { $this->assertEquals($expected, $this->json->render()); } - - public function testShouldHaveXContentHeaderByDefault() { - $headers = $this->json->getHeaders(); - $this->assertEquals('nosniff', $headers['X-Content-Type-Options']); - } - - public function testConstructorAllowsToSetData() { $data = array('hi'); $code = 300; From 387d46cb988ba2e617de9ede0ff6fb8430e59758 Mon Sep 17 00:00:00 2001 From: Lukas Reschke Date: Sun, 13 Apr 2014 12:54:26 +0200 Subject: [PATCH 4/5] Typo + Line breaks --- lib/base.php | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/lib/base.php b/lib/base.php index 34baba69d4..5fb7b0b467 100644 --- a/lib/base.php +++ b/lib/base.php @@ -214,11 +214,9 @@ class OC { } /* - * This function adds some security related headers to all requests - * served via base.php - * The implementation of this function as to happen here to ensure that - * all third-party components (e.g. SabreDAV) also benefit from this - * headers + * This function adds some security related headers to all requests served via base.php + * The implementation of this function as hto happen here to ensure that all third-party + * components (e.g. SabreDAV) also benefit from this headers. */ public static function addSecurityHeaders() { header('X-XSS-Protection: 1; mode=block'); // Enforce browser based XSS filters From c123dc7de4d9dde46bd31dbf6211704f1b4bb82d Mon Sep 17 00:00:00 2001 From: Lukas Reschke Date: Mon, 14 Apr 2014 10:15:31 +0200 Subject: [PATCH 5/5] Fix typo Thanks @DeepDiver1975 --- lib/base.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/base.php b/lib/base.php index 5fb7b0b467..7098f480e2 100644 --- a/lib/base.php +++ b/lib/base.php @@ -215,7 +215,7 @@ class OC { /* * This function adds some security related headers to all requests served via base.php - * The implementation of this function as hto happen here to ensure that all third-party + * The implementation of this function has to happen here to ensure that all third-party * components (e.g. SabreDAV) also benefit from this headers. */ public static function addSecurityHeaders() {