Add trict CSP to OCS responses
If a repsonse now explicitly has the Empty CSP set then the middleware won't touch it.
This commit is contained in:
parent
4fdee00c27
commit
7c078a81b4
|
@ -37,6 +37,7 @@ use OC\AppFramework\Middleware\Security\Exceptions\StrictCookieMissingException;
|
||||||
use OC\AppFramework\Utility\ControllerMethodReflector;
|
use OC\AppFramework\Utility\ControllerMethodReflector;
|
||||||
use OC\Security\CSP\ContentSecurityPolicyManager;
|
use OC\Security\CSP\ContentSecurityPolicyManager;
|
||||||
use OCP\AppFramework\Http\ContentSecurityPolicy;
|
use OCP\AppFramework\Http\ContentSecurityPolicy;
|
||||||
|
use OCP\AppFramework\Http\EmptyContentSecurityPolicy;
|
||||||
use OCP\AppFramework\Http\RedirectResponse;
|
use OCP\AppFramework\Http\RedirectResponse;
|
||||||
use OCP\AppFramework\Http\TemplateResponse;
|
use OCP\AppFramework\Http\TemplateResponse;
|
||||||
use OCP\AppFramework\Middleware;
|
use OCP\AppFramework\Middleware;
|
||||||
|
@ -182,6 +183,10 @@ class SecurityMiddleware extends Middleware {
|
||||||
public function afterController($controller, $methodName, Response $response) {
|
public function afterController($controller, $methodName, Response $response) {
|
||||||
$policy = !is_null($response->getContentSecurityPolicy()) ? $response->getContentSecurityPolicy() : new ContentSecurityPolicy();
|
$policy = !is_null($response->getContentSecurityPolicy()) ? $response->getContentSecurityPolicy() : new ContentSecurityPolicy();
|
||||||
|
|
||||||
|
if (get_class($policy) === EmptyContentSecurityPolicy::class) {
|
||||||
|
return $response;
|
||||||
|
}
|
||||||
|
|
||||||
$defaultPolicy = $this->contentSecurityPolicyManager->getDefaultPolicy();
|
$defaultPolicy = $this->contentSecurityPolicyManager->getDefaultPolicy();
|
||||||
$defaultPolicy = $this->contentSecurityPolicyManager->mergePolicies($defaultPolicy, $policy);
|
$defaultPolicy = $this->contentSecurityPolicyManager->mergePolicies($defaultPolicy, $policy);
|
||||||
|
|
||||||
|
|
|
@ -23,6 +23,7 @@
|
||||||
namespace OC\AppFramework\OCS;
|
namespace OC\AppFramework\OCS;
|
||||||
|
|
||||||
use OCP\AppFramework\Http\DataResponse;
|
use OCP\AppFramework\Http\DataResponse;
|
||||||
|
use OCP\AppFramework\Http\EmptyContentSecurityPolicy;
|
||||||
use OCP\AppFramework\Http\Response;
|
use OCP\AppFramework\Http\Response;
|
||||||
|
|
||||||
abstract class BaseResponse extends Response {
|
abstract class BaseResponse extends Response {
|
||||||
|
@ -67,7 +68,7 @@ abstract class BaseResponse extends Response {
|
||||||
$this->setETag($dataResponse->getETag());
|
$this->setETag($dataResponse->getETag());
|
||||||
$this->setLastModified($dataResponse->getLastModified());
|
$this->setLastModified($dataResponse->getLastModified());
|
||||||
$this->setCookies($dataResponse->getCookies());
|
$this->setCookies($dataResponse->getCookies());
|
||||||
$this->setContentSecurityPolicy($dataResponse->getContentSecurityPolicy());
|
$this->setContentSecurityPolicy(new EmptyContentSecurityPolicy());
|
||||||
|
|
||||||
if ($format === 'json') {
|
if ($format === 'json') {
|
||||||
$this->addHeader(
|
$this->addHeader(
|
||||||
|
|
|
@ -248,18 +248,18 @@ class Response {
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Set a Content-Security-Policy
|
* Set a Content-Security-Policy
|
||||||
* @param ContentSecurityPolicy $csp Policy to set for the response object
|
* @param EmptyContentSecurityPolicy $csp Policy to set for the response object
|
||||||
* @return $this
|
* @return $this
|
||||||
* @since 8.1.0
|
* @since 8.1.0
|
||||||
*/
|
*/
|
||||||
public function setContentSecurityPolicy(ContentSecurityPolicy $csp) {
|
public function setContentSecurityPolicy(EmptyContentSecurityPolicy $csp) {
|
||||||
$this->contentSecurityPolicy = $csp;
|
$this->contentSecurityPolicy = $csp;
|
||||||
return $this;
|
return $this;
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Get the currently used Content-Security-Policy
|
* Get the currently used Content-Security-Policy
|
||||||
* @return ContentSecurityPolicy|null Used Content-Security-Policy or null if
|
* @return EmptyContentSecurityPolicy|null Used Content-Security-Policy or null if
|
||||||
* none specified.
|
* none specified.
|
||||||
* @since 8.1.0
|
* @since 8.1.0
|
||||||
*/
|
*/
|
||||||
|
|
Loading…
Reference in New Issue