From f94ee725073d22302740800b252f9e70675ae46f Mon Sep 17 00:00:00 2001 From: Roeland Jago Douma Date: Tue, 30 Jul 2019 23:13:46 +0200 Subject: [PATCH] Add form-action CSP element Signed-off-by: Roeland Jago Douma --- .../Security/CSP/ContentSecurityPolicy.php | 9 ++++++ .../Http/ContentSecurityPolicy.php | 5 ++++ .../Http/EmptyContentSecurityPolicy.php | 30 +++++++++++++++++++ 3 files changed, 44 insertions(+) diff --git a/lib/private/Security/CSP/ContentSecurityPolicy.php b/lib/private/Security/CSP/ContentSecurityPolicy.php index a066c986f1..9d1d043a16 100644 --- a/lib/private/Security/CSP/ContentSecurityPolicy.php +++ b/lib/private/Security/CSP/ContentSecurityPolicy.php @@ -225,6 +225,15 @@ class ContentSecurityPolicy extends \OCP\AppFramework\Http\ContentSecurityPolicy $this->allowedWorkerSrcDomains = $allowedWorkerSrcDomains; } + public function getAllowedFormActionDomains(): array { + return $this->allowedFormActionDomains; + } + + public function setAllowedFormActionDomains(array $allowedFormActionDomains): void { + $this->allowedFormActionDomains = $allowedFormActionDomains; + } + + public function getReportTo(): array { return $this->reportTo; } diff --git a/lib/public/AppFramework/Http/ContentSecurityPolicy.php b/lib/public/AppFramework/Http/ContentSecurityPolicy.php index c12fbc7561..0bb776a08e 100644 --- a/lib/public/AppFramework/Http/ContentSecurityPolicy.php +++ b/lib/public/AppFramework/Http/ContentSecurityPolicy.php @@ -93,6 +93,11 @@ class ContentSecurityPolicy extends EmptyContentSecurityPolicy { /** @var array Domains from which web-workers can be loaded */ protected $allowedWorkerSrcDomains = []; + /** @var array Domains which can be used as target for forms */ + protected $allowedFormActionDomains = [ + '\'self\'', + ]; + /** @var array Locations to report violations to */ protected $reportTo = []; } diff --git a/lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php b/lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php index 0a77e27d8c..de892aacf2 100644 --- a/lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php +++ b/lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php @@ -75,6 +75,8 @@ class EmptyContentSecurityPolicy { protected $allowedFrameAncestors = null; /** @var array Domains from which web-workers can be loaded */ protected $allowedWorkerSrcDomains = null; + /** @var array Domains which can be used as target for forms */ + protected $allowedFormActionDomains = null; /** @var array Locations to report violations to */ protected $reportTo = null; @@ -386,6 +388,29 @@ class EmptyContentSecurityPolicy { return $this; } + /** + * Domain to where forms can submit + * + * @since 17.0.0 + * + * @return $this + */ + public function addAllowedFormActionDomain(string $domain) { + $this->allowedFormActionDomains[] = $domain; + return $this; + } + + /** + * Remove domain to where forms can submit + * + * @return $this + * @since 17.0.0 + */ + public function disallowFormActionDomain(string $domain) { + $this->allowedFormActionDomains = array_diff($this->allowedFormActionDomains, [$domain]); + return $this; + } + /** * Add location to report CSP violations to * @@ -491,6 +516,11 @@ class EmptyContentSecurityPolicy { $policy .= ';'; } + if (!empty($this->allowedFormActionDomains)) { + $policy .= 'form-action ' . implode(' ', $this->allowedFormActionDomains); + $policy .= ';'; + } + if (!empty($this->reportTo)) { $policy .= 'report-uri ' . implode(' ', $this->reportTo); $policy .= ';';