Set empty CSP by default
For #14179 By default responses should have the strictest (and simplest) CSP possible. Only template responses should require an actual CSP. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
This commit is contained in:
parent
4e88cd3aae
commit
7276735eb4
|
@ -49,6 +49,8 @@ class DataDisplayResponse extends Response {
|
||||||
*/
|
*/
|
||||||
public function __construct($data='', $statusCode=Http::STATUS_OK,
|
public function __construct($data='', $statusCode=Http::STATUS_OK,
|
||||||
$headers=[]) {
|
$headers=[]) {
|
||||||
|
parent::__construct();
|
||||||
|
|
||||||
$this->data = $data;
|
$this->data = $data;
|
||||||
$this->setStatus($statusCode);
|
$this->setStatus($statusCode);
|
||||||
$this->setHeaders(array_merge($this->getHeaders(), $headers));
|
$this->setHeaders(array_merge($this->getHeaders(), $headers));
|
||||||
|
|
|
@ -52,6 +52,8 @@ class DataResponse extends Response {
|
||||||
*/
|
*/
|
||||||
public function __construct($data=array(), $statusCode=Http::STATUS_OK,
|
public function __construct($data=array(), $statusCode=Http::STATUS_OK,
|
||||||
array $headers=array()) {
|
array $headers=array()) {
|
||||||
|
parent::__construct();
|
||||||
|
|
||||||
$this->data = $data;
|
$this->data = $data;
|
||||||
$this->setStatus($statusCode);
|
$this->setStatus($statusCode);
|
||||||
$this->setHeaders(array_merge($this->getHeaders(), $headers));
|
$this->setHeaders(array_merge($this->getHeaders(), $headers));
|
||||||
|
|
|
@ -30,7 +30,7 @@ namespace OCP\AppFramework\Http;
|
||||||
* Prompts the user to download the a file
|
* Prompts the user to download the a file
|
||||||
* @since 7.0.0
|
* @since 7.0.0
|
||||||
*/
|
*/
|
||||||
class DownloadResponse extends \OCP\AppFramework\Http\Response {
|
class DownloadResponse extends Response {
|
||||||
|
|
||||||
private $filename;
|
private $filename;
|
||||||
private $contentType;
|
private $contentType;
|
||||||
|
@ -42,6 +42,8 @@ class DownloadResponse extends \OCP\AppFramework\Http\Response {
|
||||||
* @since 7.0.0
|
* @since 7.0.0
|
||||||
*/
|
*/
|
||||||
public function __construct($filename, $contentType) {
|
public function __construct($filename, $contentType) {
|
||||||
|
parent::__construct();
|
||||||
|
|
||||||
$this->filename = $filename;
|
$this->filename = $filename;
|
||||||
$this->contentType = $contentType;
|
$this->contentType = $contentType;
|
||||||
|
|
||||||
|
|
|
@ -45,6 +45,8 @@ class FileDisplayResponse extends Response implements ICallbackResponse {
|
||||||
*/
|
*/
|
||||||
public function __construct($file, $statusCode=Http::STATUS_OK,
|
public function __construct($file, $statusCode=Http::STATUS_OK,
|
||||||
$headers=[]) {
|
$headers=[]) {
|
||||||
|
parent::__construct();
|
||||||
|
|
||||||
$this->file = $file;
|
$this->file = $file;
|
||||||
$this->setStatus($statusCode);
|
$this->setStatus($statusCode);
|
||||||
$this->setHeaders(array_merge($this->getHeaders(), $headers));
|
$this->setHeaders(array_merge($this->getHeaders(), $headers));
|
||||||
|
|
|
@ -53,6 +53,8 @@ class JSONResponse extends Response {
|
||||||
* @since 6.0.0
|
* @since 6.0.0
|
||||||
*/
|
*/
|
||||||
public function __construct($data=array(), $statusCode=Http::STATUS_OK) {
|
public function __construct($data=array(), $statusCode=Http::STATUS_OK) {
|
||||||
|
parent::__construct();
|
||||||
|
|
||||||
$this->data = $data;
|
$this->data = $data;
|
||||||
$this->setStatus($statusCode);
|
$this->setStatus($statusCode);
|
||||||
$this->addHeader('Content-Type', 'application/json; charset=utf-8');
|
$this->addHeader('Content-Type', 'application/json; charset=utf-8');
|
||||||
|
|
|
@ -35,6 +35,8 @@ class NotFoundResponse extends Response {
|
||||||
* @since 8.1.0
|
* @since 8.1.0
|
||||||
*/
|
*/
|
||||||
public function __construct() {
|
public function __construct() {
|
||||||
|
parent::__construct();
|
||||||
|
|
||||||
$this->setStatus(404);
|
$this->setStatus(404);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -59,6 +59,8 @@ class OCSResponse extends Response {
|
||||||
public function __construct($format, $statuscode, $message,
|
public function __construct($format, $statuscode, $message,
|
||||||
$data=[], $itemscount='',
|
$data=[], $itemscount='',
|
||||||
$itemsperpage='') {
|
$itemsperpage='') {
|
||||||
|
parent::__construct();
|
||||||
|
|
||||||
$this->format = $format;
|
$this->format = $format;
|
||||||
$this->statuscode = $statuscode;
|
$this->statuscode = $statuscode;
|
||||||
$this->message = $message;
|
$this->message = $message;
|
||||||
|
|
|
@ -43,6 +43,8 @@ class RedirectResponse extends Response {
|
||||||
* @since 7.0.0
|
* @since 7.0.0
|
||||||
*/
|
*/
|
||||||
public function __construct($redirectURL) {
|
public function __construct($redirectURL) {
|
||||||
|
parent::__construct();
|
||||||
|
|
||||||
$this->redirectURL = $redirectURL;
|
$this->redirectURL = $redirectURL;
|
||||||
$this->setStatus(Http::STATUS_SEE_OTHER);
|
$this->setStatus(Http::STATUS_SEE_OTHER);
|
||||||
$this->addHeader('Location', $redirectURL);
|
$this->addHeader('Location', $redirectURL);
|
||||||
|
|
|
@ -89,6 +89,15 @@ class Response {
|
||||||
/** @var array */
|
/** @var array */
|
||||||
private $throttleMetadata = [];
|
private $throttleMetadata = [];
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Response constructor.
|
||||||
|
*
|
||||||
|
* @since 17.0.0
|
||||||
|
*/
|
||||||
|
public function __construct() {
|
||||||
|
$this->setContentSecurityPolicy(new EmptyContentSecurityPolicy());
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Caches the response
|
* Caches the response
|
||||||
* @param int $cacheSeconds the amount of seconds that should be cached
|
* @param int $cacheSeconds the amount of seconds that should be cached
|
||||||
|
|
|
@ -42,6 +42,8 @@ class StreamResponse extends Response implements ICallbackResponse {
|
||||||
* @since 8.1.0
|
* @since 8.1.0
|
||||||
*/
|
*/
|
||||||
public function __construct ($filePath) {
|
public function __construct ($filePath) {
|
||||||
|
parent::__construct();
|
||||||
|
|
||||||
$this->filePath = $filePath;
|
$this->filePath = $filePath;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -75,10 +75,14 @@ class TemplateResponse extends Response {
|
||||||
*/
|
*/
|
||||||
public function __construct($appName, $templateName, array $params=array(),
|
public function __construct($appName, $templateName, array $params=array(),
|
||||||
$renderAs='user') {
|
$renderAs='user') {
|
||||||
|
parent::__construct();
|
||||||
|
|
||||||
$this->templateName = $templateName;
|
$this->templateName = $templateName;
|
||||||
$this->appName = $appName;
|
$this->appName = $appName;
|
||||||
$this->params = $params;
|
$this->params = $params;
|
||||||
$this->renderAs = $renderAs;
|
$this->renderAs = $renderAs;
|
||||||
|
|
||||||
|
$this->setContentSecurityPolicy(new ContentSecurityPolicy());
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -44,6 +44,8 @@ class ZipResponse extends Response implements ICallbackResponse {
|
||||||
* @since 15.0.0
|
* @since 15.0.0
|
||||||
*/
|
*/
|
||||||
public function __construct(IRequest $request, string $name = 'output') {
|
public function __construct(IRequest $request, string $name = 'output') {
|
||||||
|
parent::__construct();
|
||||||
|
|
||||||
$this->name = $name;
|
$this->name = $name;
|
||||||
$this->request = $request;
|
$this->request = $request;
|
||||||
}
|
}
|
||||||
|
|
|
@ -116,7 +116,7 @@ class ControllerTest extends \Test\TestCase {
|
||||||
'test' => 'something',
|
'test' => 'something',
|
||||||
'Cache-Control' => 'no-cache, no-store, must-revalidate',
|
'Cache-Control' => 'no-cache, no-store, must-revalidate',
|
||||||
'Content-Type' => 'application/json; charset=utf-8',
|
'Content-Type' => 'application/json; charset=utf-8',
|
||||||
'Content-Security-Policy' => "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self'",
|
'Content-Security-Policy' => "default-src 'none';base-uri 'none';manifest-src 'self'",
|
||||||
];
|
];
|
||||||
|
|
||||||
$response = $this->controller->customDataResponse(array('hi'));
|
$response = $this->controller->customDataResponse(array('hi'));
|
||||||
|
|
|
@ -68,7 +68,7 @@ class DataResponseTest extends \Test\TestCase {
|
||||||
|
|
||||||
$expectedHeaders = [
|
$expectedHeaders = [
|
||||||
'Cache-Control' => 'no-cache, no-store, must-revalidate',
|
'Cache-Control' => 'no-cache, no-store, must-revalidate',
|
||||||
'Content-Security-Policy' => "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self'",
|
'Content-Security-Policy' => "default-src 'none';base-uri 'none';manifest-src 'self'",
|
||||||
];
|
];
|
||||||
$expectedHeaders = array_merge($expectedHeaders, $headers);
|
$expectedHeaders = array_merge($expectedHeaders, $headers);
|
||||||
|
|
||||||
|
|
|
@ -59,7 +59,7 @@ class ResponseTest extends \Test\TestCase {
|
||||||
|
|
||||||
$this->childResponse->setHeaders($expected);
|
$this->childResponse->setHeaders($expected);
|
||||||
$headers = $this->childResponse->getHeaders();
|
$headers = $this->childResponse->getHeaders();
|
||||||
$expected['Content-Security-Policy'] = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self'";
|
$expected['Content-Security-Policy'] = "default-src 'none';base-uri 'none';manifest-src 'self'";
|
||||||
|
|
||||||
$this->assertEquals($expected, $headers);
|
$this->assertEquals($expected, $headers);
|
||||||
}
|
}
|
||||||
|
@ -86,7 +86,7 @@ class ResponseTest extends \Test\TestCase {
|
||||||
}
|
}
|
||||||
|
|
||||||
public function testGetCspEmpty() {
|
public function testGetCspEmpty() {
|
||||||
$this->assertNull($this->childResponse->getContentSecurityPolicy());
|
$this->assertEquals(new Http\EmptyContentSecurityPolicy(), $this->childResponse->getContentSecurityPolicy());
|
||||||
}
|
}
|
||||||
|
|
||||||
public function testAddHeaderValueNullDeletesIt(){
|
public function testAddHeaderValueNullDeletesIt(){
|
||||||
|
|
Loading…
Reference in New Issue