Add form-action CSP element
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
This commit is contained in:
Roeland Jago Douma
parent
f1066fd769
commit
f94ee72507
|
|
@ -225,6 +225,15 @@ class ContentSecurityPolicy extends \OCP\AppFramework\Http\ContentSecurityPolicy
|
|||
$this->allowedWorkerSrcDomains = $allowedWorkerSrcDomains;
|
||||
}
|
||||
|
||||
public function getAllowedFormActionDomains(): array {
|
||||
return $this->allowedFormActionDomains;
|
||||
}
|
||||
|
||||
public function setAllowedFormActionDomains(array $allowedFormActionDomains): void {
|
||||
$this->allowedFormActionDomains = $allowedFormActionDomains;
|
||||
}
|
||||
|
||||
|
||||
public function getReportTo(): array {
|
||||
return $this->reportTo;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -93,6 +93,11 @@ class ContentSecurityPolicy extends EmptyContentSecurityPolicy {
|
|||
/** @var array Domains from which web-workers can be loaded */
|
||||
protected $allowedWorkerSrcDomains = [];
|
||||
|
||||
/** @var array Domains which can be used as target for forms */
|
||||
protected $allowedFormActionDomains = [
|
||||
'\'self\'',
|
||||
];
|
||||
|
||||
/** @var array Locations to report violations to */
|
||||
protected $reportTo = [];
|
||||
}
|
||||
|
|
|
|||
|
|
@ -75,6 +75,8 @@ class EmptyContentSecurityPolicy {
|
|||
protected $allowedFrameAncestors = null;
|
||||
/** @var array Domains from which web-workers can be loaded */
|
||||
protected $allowedWorkerSrcDomains = null;
|
||||
/** @var array Domains which can be used as target for forms */
|
||||
protected $allowedFormActionDomains = null;
|
||||
|
||||
/** @var array Locations to report violations to */
|
||||
protected $reportTo = null;
|
||||
|
|
@ -386,6 +388,29 @@ class EmptyContentSecurityPolicy {
|
|||
return $this;
|
||||
}
|
||||
|
||||
/**
|
||||
* Domain to where forms can submit
|
||||
*
|
||||
* @since 17.0.0
|
||||
*
|
||||
* @return $this
|
||||
*/
|
||||
public function addAllowedFormActionDomain(string $domain) {
|
||||
$this->allowedFormActionDomains[] = $domain;
|
||||
return $this;
|
||||
}
|
||||
|
||||
/**
|
||||
* Remove domain to where forms can submit
|
||||
*
|
||||
* @return $this
|
||||
* @since 17.0.0
|
||||
*/
|
||||
public function disallowFormActionDomain(string $domain) {
|
||||
$this->allowedFormActionDomains = array_diff($this->allowedFormActionDomains, [$domain]);
|
||||
return $this;
|
||||
}
|
||||
|
||||
/**
|
||||
* Add location to report CSP violations to
|
||||
*
|
||||
|
|
@ -491,6 +516,11 @@ class EmptyContentSecurityPolicy {
|
|||
$policy .= ';';
|
||||
}
|
||||
|
||||
if (!empty($this->allowedFormActionDomains)) {
|
||||
$policy .= 'form-action ' . implode(' ', $this->allowedFormActionDomains);
|
||||
$policy .= ';';
|
||||
}
|
||||
|
||||
if (!empty($this->reportTo)) {
|
||||
$policy .= 'report-uri ' . implode(' ', $this->reportTo);
|
||||
$policy .= ';';
|
||||
|
|
|
|||
Loading…
Reference in New Issue