Add CSP frame-ancestors support
Didn't set the @since annotation yet. Signed-off-by: Thomas Citharel <tcit@tcit.fr>
This commit is contained in:
parent
8500e11457
commit
ecf347bd1a
|
@ -197,4 +197,18 @@ class ContentSecurityPolicy extends \OCP\AppFramework\Http\ContentSecurityPolicy
|
||||||
$this->allowedChildSrcDomains = $allowedChildSrcDomains;
|
$this->allowedChildSrcDomains = $allowedChildSrcDomains;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @return array
|
||||||
|
*/
|
||||||
|
public function getAllowedFrameAncestors() {
|
||||||
|
return $this->allowedFrameAncestors;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @param array $allowedFrameAncestors
|
||||||
|
*/
|
||||||
|
public function setAllowedFrameAncestors($allowedFrameAncestors) {
|
||||||
|
$this->allowedFrameAncestors = $allowedFrameAncestors;
|
||||||
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -84,4 +84,7 @@ class ContentSecurityPolicy extends EmptyContentSecurityPolicy {
|
||||||
];
|
];
|
||||||
/** @var array Domains from which web-workers and nested browsing content can load elements */
|
/** @var array Domains from which web-workers and nested browsing content can load elements */
|
||||||
protected $allowedChildSrcDomains = [];
|
protected $allowedChildSrcDomains = [];
|
||||||
|
|
||||||
|
/** @var array Domains which can embeed this Nextcloud instance */
|
||||||
|
protected $allowedFrameAncestors = [];
|
||||||
}
|
}
|
||||||
|
|
|
@ -68,6 +68,8 @@ class EmptyContentSecurityPolicy {
|
||||||
protected $allowedFontDomains = null;
|
protected $allowedFontDomains = null;
|
||||||
/** @var array Domains from which web-workers and nested browsing content can load elements */
|
/** @var array Domains from which web-workers and nested browsing content can load elements */
|
||||||
protected $allowedChildSrcDomains = null;
|
protected $allowedChildSrcDomains = null;
|
||||||
|
/** @var array Domains which can embeed this Nextcloud instance */
|
||||||
|
protected $allowedFrameAncestors = null;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Whether inline JavaScript snippets are allowed or forbidden
|
* Whether inline JavaScript snippets are allowed or forbidden
|
||||||
|
@ -326,6 +328,30 @@ class EmptyContentSecurityPolicy {
|
||||||
return $this;
|
return $this;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Domains which can embeed an iFrame of the Nextcloud instance
|
||||||
|
*
|
||||||
|
* @param string $domain
|
||||||
|
* @return $this
|
||||||
|
* @since 12.x
|
||||||
|
*/
|
||||||
|
public function addAllowedFrameAncestorDomain($domain) {
|
||||||
|
$this->allowedFrameAncestors[] = $domain;
|
||||||
|
return $this;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Domains which can embeed an iFrame of the Nextcloud instance
|
||||||
|
*
|
||||||
|
* @param string $domain
|
||||||
|
* @return $this
|
||||||
|
* @since 12.x
|
||||||
|
*/
|
||||||
|
public function disallowFrameAncestorDomain($domain) {
|
||||||
|
$this->allowedFrameAncestors = array_diff($this->allowedFrameAncestors, [$domain]);
|
||||||
|
return $this;
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Get the generated Content-Security-Policy as a string
|
* Get the generated Content-Security-Policy as a string
|
||||||
* @return string
|
* @return string
|
||||||
|
@ -405,6 +431,11 @@ class EmptyContentSecurityPolicy {
|
||||||
$policy .= ';';
|
$policy .= ';';
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if(!empty($this->allowedFrameAncestors)) {
|
||||||
|
$policy .= 'frame-ancestors ' . implode(' ', $this->allowedFrameAncestors);
|
||||||
|
$policy .= ';';
|
||||||
|
}
|
||||||
|
|
||||||
return rtrim($policy, ';');
|
return rtrim($policy, ';');
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -426,4 +426,45 @@ class ContentSecurityPolicyTest extends \Test\TestCase {
|
||||||
$this->contentSecurityPolicy->disallowChildSrcDomain('www.owncloud.org')->disallowChildSrcDomain('www.owncloud.com');
|
$this->contentSecurityPolicy->disallowChildSrcDomain('www.owncloud.org')->disallowChildSrcDomain('www.owncloud.com');
|
||||||
$this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
|
$this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
public function testGetAllowedFrameAncestorDomain() {
|
||||||
|
$expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self';frame-ancestors sub.nextcloud.com";
|
||||||
|
|
||||||
|
$this->contentSecurityPolicy->addAllowedFrameAncestorDomain('sub.nextcloud.com');
|
||||||
|
$this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
|
||||||
|
}
|
||||||
|
|
||||||
|
public function testGetPolicyFrameAncestorValidMultiple() {
|
||||||
|
$expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self';frame-ancestors sub.nextcloud.com foo.nextcloud.com";
|
||||||
|
|
||||||
|
$this->contentSecurityPolicy->addAllowedFrameAncestorDomain('sub.nextcloud.com');
|
||||||
|
$this->contentSecurityPolicy->addAllowedFrameAncestorDomain('foo.nextcloud.com');
|
||||||
|
$this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
|
||||||
|
}
|
||||||
|
|
||||||
|
public function testGetPolicyDisallowFrameAncestorDomain() {
|
||||||
|
$expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self'";
|
||||||
|
|
||||||
|
$this->contentSecurityPolicy->addAllowedFrameAncestorDomain('www.nextcloud.com');
|
||||||
|
$this->contentSecurityPolicy->disallowFrameAncestorDomain('www.nextcloud.com');
|
||||||
|
$this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
|
||||||
|
}
|
||||||
|
|
||||||
|
public function testGetPolicyDisallowFrameAncestorDomainMultiple() {
|
||||||
|
$expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self';frame-ancestors www.nextcloud.com";
|
||||||
|
|
||||||
|
$this->contentSecurityPolicy->addAllowedFrameAncestorDomain('www.nextcloud.com');
|
||||||
|
$this->contentSecurityPolicy->disallowFrameAncestorDomain('www.nextcloud.org');
|
||||||
|
$this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
|
||||||
|
}
|
||||||
|
|
||||||
|
public function testGetPolicyDisallowFrameAncestorDomainMultipleStakes() {
|
||||||
|
$expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self'";
|
||||||
|
|
||||||
|
$this->contentSecurityPolicy->addAllowedChildSrcDomain('www.owncloud.com');
|
||||||
|
$this->contentSecurityPolicy->disallowChildSrcDomain('www.owncloud.org')->disallowChildSrcDomain('www.owncloud.com');
|
||||||
|
$this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue