mbk-lab
/
nextcloud
2
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Move security headers to base.php 

Some headers were currently only added to the templates but not to other components (e.g. SabreDAV / JSON / etc...)
The migration to base.php ensures that the headers are served to all requests passing base.php
This commit is contained in:
Lukas Reschke 2014-04-13 11:51:03 +02:00
parent 266325eac4
commit df67a04385
2 changed files with 32 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
lib/base.php
View File

@ -213,6 +213,36 @@ class OC {
} }
} }
/*
* This function adds some security related headers to all requests
* served via base.php
* The implementation of this function as to happen here to ensure that
* all third-party components (e.g. SabreDAV) also benefit from this
* headers
*/
public static function addSecurityHeaders() {
header('X-XSS-Protection: 1; mode=block'); // Enforce browser based XSS filters
header('X-Content-Type-Options: nosniff'); // Disable sniffing the content type for IE
// iFrame Restriction Policy
$xFramePolicy = OC_Config::getValue('xframe_restriction', true);
if($xFramePolicy) {
header('X-Frame-Options: Sameorigin'); // Disallow iFraming from other domains
}
// Content Security Policy
// If you change the standard policy, please also change it in config.sample.php
$policy = OC_Config::getValue('custom_csp_policy',
'default-src \'self\'; '
.'script-src \'self\' \'unsafe-eval\'; '
.'style-src \'self\' \'unsafe-inline\'; '
.'frame-src *; '
.'img-src *; '
.'font-src \'self\' data:; '
.'media-src *');
header('Content-Security-Policy:'.$policy);
}
public static function checkSSL() { public static function checkSSL() {
// redirect to https site if configured // redirect to https site if configured
if (OC_Config::getValue("forcessl", false)) { if (OC_Config::getValue("forcessl", false)) {
@ -512,6 +542,7 @@ class OC {
self::checkConfig(); self::checkConfig();
self::checkInstalled(); self::checkInstalled();
self::checkSSL(); self::checkSSL();
self::addSecurityHeaders();
$errors = OC_Util::checkServer(); $errors = OC_Util::checkServer();
if (count($errors) > 0) { if (count($errors) > 0) {

26
lib/private/template.php
View File

@ -64,31 +64,7 @@ class OC_Template extends \OC\Template\Base {
$this->path = $path; $this->path = $path;
parent::__construct($template, $requesttoken, $l10n, $themeDefaults); parent::__construct($template, $requesttoken, $l10n, $themeDefaults);
}
// Some headers to enhance security
header('X-XSS-Protection: 1; mode=block'); // Enforce browser based XSS filters
header('X-Content-Type-Options: nosniff'); // Disable sniffing the content type for IE
// iFrame Restriction Policy
$xFramePolicy = OC_Config::getValue('xframe_restriction', true);
if($xFramePolicy) {
header('X-Frame-Options: Sameorigin'); // Disallow iFraming from other domains
}
// Content Security Policy
// If you change the standard policy, please also change it in config.sample.php
$policy = OC_Config::getValue('custom_csp_policy',
'default-src \'self\'; '
.'script-src \'self\' \'unsafe-eval\'; '
.'style-src \'self\' \'unsafe-inline\'; '
.'frame-src *; '
.'img-src *; '
.'font-src \'self\' data:; '
.'media-src *');
header('Content-Security-Policy:'.$policy); // Standard
}
/** /**
* autodetect the formfactor of the used device * autodetect the formfactor of the used device
* default -> the normal desktop browser interface * default -> the normal desktop browser interface