Merge pull request #8183 from owncloud/move-security-headers
Move security headers
This commit is contained in:
commit
5a1a056c6d
29
lib/base.php
29
lib/base.php
|
@ -213,6 +213,34 @@ class OC {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* This function adds some security related headers to all requests served via base.php
|
||||||
|
* The implementation of this function has to happen here to ensure that all third-party
|
||||||
|
* components (e.g. SabreDAV) also benefit from this headers.
|
||||||
|
*/
|
||||||
|
public static function addSecurityHeaders() {
|
||||||
|
header('X-XSS-Protection: 1; mode=block'); // Enforce browser based XSS filters
|
||||||
|
header('X-Content-Type-Options: nosniff'); // Disable sniffing the content type for IE
|
||||||
|
|
||||||
|
// iFrame Restriction Policy
|
||||||
|
$xFramePolicy = OC_Config::getValue('xframe_restriction', true);
|
||||||
|
if($xFramePolicy) {
|
||||||
|
header('X-Frame-Options: Sameorigin'); // Disallow iFraming from other domains
|
||||||
|
}
|
||||||
|
|
||||||
|
// Content Security Policy
|
||||||
|
// If you change the standard policy, please also change it in config.sample.php
|
||||||
|
$policy = OC_Config::getValue('custom_csp_policy',
|
||||||
|
'default-src \'self\'; '
|
||||||
|
.'script-src \'self\' \'unsafe-eval\'; '
|
||||||
|
.'style-src \'self\' \'unsafe-inline\'; '
|
||||||
|
.'frame-src *; '
|
||||||
|
.'img-src *; '
|
||||||
|
.'font-src \'self\' data:; '
|
||||||
|
.'media-src *');
|
||||||
|
header('Content-Security-Policy:'.$policy);
|
||||||
|
}
|
||||||
|
|
||||||
public static function checkSSL() {
|
public static function checkSSL() {
|
||||||
// redirect to https site if configured
|
// redirect to https site if configured
|
||||||
if (OC_Config::getValue("forcessl", false)) {
|
if (OC_Config::getValue("forcessl", false)) {
|
||||||
|
@ -512,6 +540,7 @@ class OC {
|
||||||
self::checkConfig();
|
self::checkConfig();
|
||||||
self::checkInstalled();
|
self::checkInstalled();
|
||||||
self::checkSSL();
|
self::checkSSL();
|
||||||
|
self::addSecurityHeaders();
|
||||||
|
|
||||||
$errors = OC_Util::checkServer();
|
$errors = OC_Util::checkServer();
|
||||||
if (count($errors) > 0) {
|
if (count($errors) > 0) {
|
||||||
|
|
|
@ -119,8 +119,6 @@ class OC_JSON{
|
||||||
* Encode and print $data in json format
|
* Encode and print $data in json format
|
||||||
*/
|
*/
|
||||||
public static function encodedPrint($data, $setContentType=true) {
|
public static function encodedPrint($data, $setContentType=true) {
|
||||||
// Disable mimesniffing, don't move this to setContentTypeHeader!
|
|
||||||
header( 'X-Content-Type-Options: nosniff' );
|
|
||||||
if($setContentType) {
|
if($setContentType) {
|
||||||
self::setContentTypeHeader();
|
self::setContentTypeHeader();
|
||||||
}
|
}
|
||||||
|
|
|
@ -64,29 +64,6 @@ class OC_Template extends \OC\Template\Base {
|
||||||
$this->path = $path;
|
$this->path = $path;
|
||||||
|
|
||||||
parent::__construct($template, $requesttoken, $l10n, $themeDefaults);
|
parent::__construct($template, $requesttoken, $l10n, $themeDefaults);
|
||||||
|
|
||||||
// Some headers to enhance security
|
|
||||||
header('X-XSS-Protection: 1; mode=block'); // Enforce browser based XSS filters
|
|
||||||
header('X-Content-Type-Options: nosniff'); // Disable sniffing the content type for IE
|
|
||||||
|
|
||||||
// iFrame Restriction Policy
|
|
||||||
$xFramePolicy = OC_Config::getValue('xframe_restriction', true);
|
|
||||||
if($xFramePolicy) {
|
|
||||||
header('X-Frame-Options: Sameorigin'); // Disallow iFraming from other domains
|
|
||||||
}
|
|
||||||
|
|
||||||
// Content Security Policy
|
|
||||||
// If you change the standard policy, please also change it in config.sample.php
|
|
||||||
$policy = OC_Config::getValue('custom_csp_policy',
|
|
||||||
'default-src \'self\'; '
|
|
||||||
.'script-src \'self\' \'unsafe-eval\'; '
|
|
||||||
.'style-src \'self\' \'unsafe-inline\'; '
|
|
||||||
.'frame-src *; '
|
|
||||||
.'img-src *; '
|
|
||||||
.'font-src \'self\' data:; '
|
|
||||||
.'media-src *');
|
|
||||||
header('Content-Security-Policy:'.$policy); // Standard
|
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
|
|
@ -49,7 +49,6 @@ class JSONResponse extends Response {
|
||||||
public function __construct($data=array(), $statusCode=Http::STATUS_OK) {
|
public function __construct($data=array(), $statusCode=Http::STATUS_OK) {
|
||||||
$this->data = $data;
|
$this->data = $data;
|
||||||
$this->setStatus($statusCode);
|
$this->setStatus($statusCode);
|
||||||
$this->addHeader('X-Content-Type-Options', 'nosniff');
|
|
||||||
$this->addHeader('Content-type', 'application/json; charset=utf-8');
|
$this->addHeader('Content-type', 'application/json; charset=utf-8');
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -79,13 +79,6 @@ class JSONResponseTest extends \PHPUnit_Framework_TestCase {
|
||||||
$this->assertEquals($expected, $this->json->render());
|
$this->assertEquals($expected, $this->json->render());
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
public function testShouldHaveXContentHeaderByDefault() {
|
|
||||||
$headers = $this->json->getHeaders();
|
|
||||||
$this->assertEquals('nosniff', $headers['X-Content-Type-Options']);
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
public function testConstructorAllowsToSetData() {
|
public function testConstructorAllowsToSetData() {
|
||||||
$data = array('hi');
|
$data = array('hi');
|
||||||
$code = 300;
|
$code = 300;
|
||||||
|
|
Loading…
Reference in New Issue