From f94ee725073d22302740800b252f9e70675ae46f Mon Sep 17 00:00:00 2001
From: Roeland Jago Douma <roeland@famdouma.nl>
Date: Tue, 30 Jul 2019 23:13:46 +0200
Subject: [PATCH] Add form-action CSP element

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
---
 .../Security/CSP/ContentSecurityPolicy.php    |  9 ++++++
 .../Http/ContentSecurityPolicy.php            |  5 ++++
 .../Http/EmptyContentSecurityPolicy.php       | 30 +++++++++++++++++++
 3 files changed, 44 insertions(+)

diff --git a/lib/private/Security/CSP/ContentSecurityPolicy.php b/lib/private/Security/CSP/ContentSecurityPolicy.php
index a066c986f1..9d1d043a16 100644
--- a/lib/private/Security/CSP/ContentSecurityPolicy.php
+++ b/lib/private/Security/CSP/ContentSecurityPolicy.php
@@ -225,6 +225,15 @@ class ContentSecurityPolicy extends \OCP\AppFramework\Http\ContentSecurityPolicy
 		$this->allowedWorkerSrcDomains = $allowedWorkerSrcDomains;
 	}
 
+	public function getAllowedFormActionDomains(): array {
+		return $this->allowedFormActionDomains;
+	}
+
+	public function setAllowedFormActionDomains(array $allowedFormActionDomains): void {
+		$this->allowedFormActionDomains = $allowedFormActionDomains;
+	}
+
+
 	public function getReportTo(): array {
 		return $this->reportTo;
 	}
diff --git a/lib/public/AppFramework/Http/ContentSecurityPolicy.php b/lib/public/AppFramework/Http/ContentSecurityPolicy.php
index c12fbc7561..0bb776a08e 100644
--- a/lib/public/AppFramework/Http/ContentSecurityPolicy.php
+++ b/lib/public/AppFramework/Http/ContentSecurityPolicy.php
@@ -93,6 +93,11 @@ class ContentSecurityPolicy extends EmptyContentSecurityPolicy {
 	/** @var array Domains from which web-workers can be loaded */
 	protected $allowedWorkerSrcDomains = [];
 
+	/** @var array Domains which can be used as target for forms */
+	protected $allowedFormActionDomains = [
+		'\'self\'',
+	];
+
 	/** @var array Locations to report violations to */
 	protected $reportTo = [];
 }
diff --git a/lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php b/lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php
index 0a77e27d8c..de892aacf2 100644
--- a/lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php
+++ b/lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php
@@ -75,6 +75,8 @@ class EmptyContentSecurityPolicy {
 	protected $allowedFrameAncestors = null;
 	/** @var array Domains from which web-workers can be loaded */
 	protected $allowedWorkerSrcDomains = null;
+	/** @var array Domains which can be used as target for forms */
+	protected $allowedFormActionDomains = null;
 
 	/** @var array Locations to report violations to */
 	protected $reportTo = null;
@@ -386,6 +388,29 @@ class EmptyContentSecurityPolicy {
 		return $this;
 	}
 
+	/**
+	 * Domain to where forms can submit
+	 *
+	 * @since 17.0.0
+	 *
+	 * @return $this
+	 */
+	public function addAllowedFormActionDomain(string $domain) {
+		$this->allowedFormActionDomains[] = $domain;
+		return $this;
+	}
+
+	/**
+	 * Remove domain to where forms can submit
+	 *
+	 * @return $this
+	 * @since 17.0.0
+	 */
+	public function disallowFormActionDomain(string $domain) {
+		$this->allowedFormActionDomains = array_diff($this->allowedFormActionDomains, [$domain]);
+		return $this;
+	}
+
 	/**
 	 * Add location to report CSP violations to
 	 *
@@ -491,6 +516,11 @@ class EmptyContentSecurityPolicy {
 			$policy .= ';';
 		}
 
+		if (!empty($this->allowedFormActionDomains)) {
+			$policy .= 'form-action ' . implode(' ', $this->allowedFormActionDomains);
+			$policy .= ';';
+		}
+
 		if (!empty($this->reportTo)) {
 			$policy .= 'report-uri ' . implode(' ', $this->reportTo);
 			$policy .= ';';