Move security headers to base.php
Some headers were currently only added to the templates but not to other components (e.g. SabreDAV / JSON / etc...) The migration to base.php ensures that the headers are served to all requests passing base.php
This commit is contained in:
Lukas Reschke
parent
266325eac4
commit
df67a04385
31
lib/base.php
31
lib/base.php
|
|
@ -213,6 +213,36 @@ class OC {
|
|||
}
|
||||
}
|
||||
|
||||
/*
|
||||
* This function adds some security related headers to all requests
|
||||
* served via base.php
|
||||
* The implementation of this function as to happen here to ensure that
|
||||
* all third-party components (e.g. SabreDAV) also benefit from this
|
||||
* headers
|
||||
*/
|
||||
public static function addSecurityHeaders() {
|
||||
header('X-XSS-Protection: 1; mode=block'); // Enforce browser based XSS filters
|
||||
header('X-Content-Type-Options: nosniff'); // Disable sniffing the content type for IE
|
||||
|
||||
// iFrame Restriction Policy
|
||||
$xFramePolicy = OC_Config::getValue('xframe_restriction', true);
|
||||
if($xFramePolicy) {
|
||||
header('X-Frame-Options: Sameorigin'); // Disallow iFraming from other domains
|
||||
}
|
||||
|
||||
// Content Security Policy
|
||||
// If you change the standard policy, please also change it in config.sample.php
|
||||
$policy = OC_Config::getValue('custom_csp_policy',
|
||||
'default-src \'self\'; '
|
||||
.'script-src \'self\' \'unsafe-eval\'; '
|
||||
.'style-src \'self\' \'unsafe-inline\'; '
|
||||
.'frame-src *; '
|
||||
.'img-src *; '
|
||||
.'font-src \'self\' data:; '
|
||||
.'media-src *');
|
||||
header('Content-Security-Policy:'.$policy);
|
||||
}
|
||||
|
||||
public static function checkSSL() {
|
||||
// redirect to https site if configured
|
||||
if (OC_Config::getValue("forcessl", false)) {
|
||||
|
|
@ -512,6 +542,7 @@ class OC {
|
|||
self::checkConfig();
|
||||
self::checkInstalled();
|
||||
self::checkSSL();
|
||||
self::addSecurityHeaders();
|
||||
|
||||
$errors = OC_Util::checkServer();
|
||||
if (count($errors) > 0) {
|
||||
|
|
|
|||
|
|
@ -64,31 +64,7 @@ class OC_Template extends \OC\Template\Base {
|
|||
$this->path = $path;
|
||||
|
||||
parent::__construct($template, $requesttoken, $l10n, $themeDefaults);
|
||||
|
||||
// Some headers to enhance security
|
||||
header('X-XSS-Protection: 1; mode=block'); // Enforce browser based XSS filters
|
||||
header('X-Content-Type-Options: nosniff'); // Disable sniffing the content type for IE
|
||||
|
||||
// iFrame Restriction Policy
|
||||
$xFramePolicy = OC_Config::getValue('xframe_restriction', true);
|
||||
if($xFramePolicy) {
|
||||
header('X-Frame-Options: Sameorigin'); // Disallow iFraming from other domains
|
||||
}
|
||||
|
||||
// Content Security Policy
|
||||
// If you change the standard policy, please also change it in config.sample.php
|
||||
$policy = OC_Config::getValue('custom_csp_policy',
|
||||
'default-src \'self\'; '
|
||||
.'script-src \'self\' \'unsafe-eval\'; '
|
||||
.'style-src \'self\' \'unsafe-inline\'; '
|
||||
.'frame-src *; '
|
||||
.'img-src *; '
|
||||
.'font-src \'self\' data:; '
|
||||
.'media-src *');
|
||||
header('Content-Security-Policy:'.$policy); // Standard
|
||||
|
||||
}
|
||||
|
||||
/**
|
||||
* autodetect the formfactor of the used device
|
||||
* default -> the normal desktop browser interface
|
||||
|
|
|
|||
Loading…
Reference in New Issue