Add trict CSP to OCS responses
If a repsonse now explicitly has the Empty CSP set then the middleware won't touch it.
This commit is contained in:
parent
4fdee00c27
commit
7c078a81b4
|
@ -37,6 +37,7 @@ use OC\AppFramework\Middleware\Security\Exceptions\StrictCookieMissingException;
|
|||
use OC\AppFramework\Utility\ControllerMethodReflector;
|
||||
use OC\Security\CSP\ContentSecurityPolicyManager;
|
||||
use OCP\AppFramework\Http\ContentSecurityPolicy;
|
||||
use OCP\AppFramework\Http\EmptyContentSecurityPolicy;
|
||||
use OCP\AppFramework\Http\RedirectResponse;
|
||||
use OCP\AppFramework\Http\TemplateResponse;
|
||||
use OCP\AppFramework\Middleware;
|
||||
|
@ -182,6 +183,10 @@ class SecurityMiddleware extends Middleware {
|
|||
public function afterController($controller, $methodName, Response $response) {
|
||||
$policy = !is_null($response->getContentSecurityPolicy()) ? $response->getContentSecurityPolicy() : new ContentSecurityPolicy();
|
||||
|
||||
if (get_class($policy) === EmptyContentSecurityPolicy::class) {
|
||||
return $response;
|
||||
}
|
||||
|
||||
$defaultPolicy = $this->contentSecurityPolicyManager->getDefaultPolicy();
|
||||
$defaultPolicy = $this->contentSecurityPolicyManager->mergePolicies($defaultPolicy, $policy);
|
||||
|
||||
|
|
|
@ -23,6 +23,7 @@
|
|||
namespace OC\AppFramework\OCS;
|
||||
|
||||
use OCP\AppFramework\Http\DataResponse;
|
||||
use OCP\AppFramework\Http\EmptyContentSecurityPolicy;
|
||||
use OCP\AppFramework\Http\Response;
|
||||
|
||||
abstract class BaseResponse extends Response {
|
||||
|
@ -67,7 +68,7 @@ abstract class BaseResponse extends Response {
|
|||
$this->setETag($dataResponse->getETag());
|
||||
$this->setLastModified($dataResponse->getLastModified());
|
||||
$this->setCookies($dataResponse->getCookies());
|
||||
$this->setContentSecurityPolicy($dataResponse->getContentSecurityPolicy());
|
||||
$this->setContentSecurityPolicy(new EmptyContentSecurityPolicy());
|
||||
|
||||
if ($format === 'json') {
|
||||
$this->addHeader(
|
||||
|
|
|
@ -248,18 +248,18 @@ class Response {
|
|||
|
||||
/**
|
||||
* Set a Content-Security-Policy
|
||||
* @param ContentSecurityPolicy $csp Policy to set for the response object
|
||||
* @param EmptyContentSecurityPolicy $csp Policy to set for the response object
|
||||
* @return $this
|
||||
* @since 8.1.0
|
||||
*/
|
||||
public function setContentSecurityPolicy(ContentSecurityPolicy $csp) {
|
||||
public function setContentSecurityPolicy(EmptyContentSecurityPolicy $csp) {
|
||||
$this->contentSecurityPolicy = $csp;
|
||||
return $this;
|
||||
}
|
||||
|
||||
/**
|
||||
* Get the currently used Content-Security-Policy
|
||||
* @return ContentSecurityPolicy|null Used Content-Security-Policy or null if
|
||||
* @return EmptyContentSecurityPolicy|null Used Content-Security-Policy or null if
|
||||
* none specified.
|
||||
* @since 8.1.0
|
||||
*/
|
||||
|
|
Loading…
Reference in New Issue