mbk-lab
/
nextcloud
2
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Add form-action CSP element 

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
This commit is contained in:
Roeland Jago Douma 2019-07-30 23:13:46 +02:00
parent f1066fd769
commit f94ee72507
No known key found for this signature in database
GPG Key ID: F941078878347C0C
3 changed files with 44 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
lib/private/Security/CSP/ContentSecurityPolicy.php
View File

@ -225,6 +225,15 @@ class ContentSecurityPolicy extends \OCP\AppFramework\Http\ContentSecurityPolicy
$this->allowedWorkerSrcDomains = $allowedWorkerSrcDomains; $this->allowedWorkerSrcDomains = $allowedWorkerSrcDomains;
} }
public function getAllowedFormActionDomains(): array {
return $this->allowedFormActionDomains;
}
public function setAllowedFormActionDomains(array $allowedFormActionDomains): void {
$this->allowedFormActionDomains = $allowedFormActionDomains;
}
public function getReportTo(): array { public function getReportTo(): array {
return $this->reportTo; return $this->reportTo;
} }

5
lib/public/AppFramework/Http/ContentSecurityPolicy.php
View File

@ -93,6 +93,11 @@ class ContentSecurityPolicy extends EmptyContentSecurityPolicy {
/** @var array Domains from which web-workers can be loaded */ /** @var array Domains from which web-workers can be loaded */
protected $allowedWorkerSrcDomains = []; protected $allowedWorkerSrcDomains = [];
/** @var array Domains which can be used as target for forms */
protected $allowedFormActionDomains = [
'\'self\'',
];
/** @var array Locations to report violations to */ /** @var array Locations to report violations to */
protected $reportTo = []; protected $reportTo = [];
} }

30
lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php
View File

@ -75,6 +75,8 @@ class EmptyContentSecurityPolicy {
protected $allowedFrameAncestors = null; protected $allowedFrameAncestors = null;
/** @var array Domains from which web-workers can be loaded */ /** @var array Domains from which web-workers can be loaded */
protected $allowedWorkerSrcDomains = null; protected $allowedWorkerSrcDomains = null;
/** @var array Domains which can be used as target for forms */
protected $allowedFormActionDomains = null;
/** @var array Locations to report violations to */ /** @var array Locations to report violations to */
protected $reportTo = null; protected $reportTo = null;
@ -386,6 +388,29 @@ class EmptyContentSecurityPolicy {
return $this; return $this;
} }
/**
* Domain to where forms can submit
*
* @since 17.0.0
*
* @return $this
*/
public function addAllowedFormActionDomain(string $domain) {
$this->allowedFormActionDomains[] = $domain;
return $this;
}
/**
* Remove domain to where forms can submit
*
* @return $this
* @since 17.0.0
*/
public function disallowFormActionDomain(string $domain) {
$this->allowedFormActionDomains = array_diff($this->allowedFormActionDomains, [$domain]);
return $this;
}
/** /**
* Add location to report CSP violations to * Add location to report CSP violations to
* *
@ -491,6 +516,11 @@ class EmptyContentSecurityPolicy {
$policy .= ';'; $policy .= ';';
} }
if (!empty($this->allowedFormActionDomains)) {
$policy .= 'form-action ' . implode(' ', $this->allowedFormActionDomains);
$policy .= ';';
}
if (!empty($this->reportTo)) { if (!empty($this->reportTo)) {
$policy .= 'report-uri ' . implode(' ', $this->reportTo); $policy .= 'report-uri ' . implode(' ', $this->reportTo);
$policy .= ';'; $policy .= ';';