Merge pull request #16711 from nextcloud/fix/csp/form_actions/loginflow

Fix login flow form actions
This commit is contained in:
Roeland Jago Douma 2019-08-12 08:24:53 +02:00 committed by GitHub
commit fced73aa37
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 20 additions and 2 deletions

View File

@ -195,7 +195,10 @@ class ClientFlowLoginController extends Controller {
); );
$this->session->set(self::stateName, $stateToken); $this->session->set(self::stateName, $stateToken);
return new StandaloneTemplateResponse( $csp = new Http\ContentSecurityPolicy();
$csp->addAllowedFormActionDomain('nc://*');
$response = new StandaloneTemplateResponse(
$this->appName, $this->appName,
'loginflow/authpicker', 'loginflow/authpicker',
[ [
@ -209,6 +212,9 @@ class ClientFlowLoginController extends Controller {
], ],
'guest' 'guest'
); );
$response->setContentSecurityPolicy($csp);
return $response;
} }
/** /**
@ -234,7 +240,10 @@ class ClientFlowLoginController extends Controller {
$clientName = $client->getName(); $clientName = $client->getName();
} }
return new StandaloneTemplateResponse( $csp = new Http\ContentSecurityPolicy();
$csp->addAllowedFormActionDomain('nc://*');
$response = new StandaloneTemplateResponse(
$this->appName, $this->appName,
'loginflow/grant', 'loginflow/grant',
[ [
@ -248,6 +257,9 @@ class ClientFlowLoginController extends Controller {
], ],
'guest' 'guest'
); );
$response->setContentSecurityPolicy($csp);
return $response;
} }
/** /**

View File

@ -186,6 +186,9 @@ class ClientFlowLoginControllerTest extends TestCase {
], ],
'guest' 'guest'
); );
$csp = new Http\ContentSecurityPolicy();
$csp->addAllowedFormActionDomain('nc://*');
$expected->setContentSecurityPolicy($csp);
$this->assertEquals($expected, $this->clientFlowLoginController->showAuthPickerPage()); $this->assertEquals($expected, $this->clientFlowLoginController->showAuthPickerPage());
} }
@ -245,6 +248,9 @@ class ClientFlowLoginControllerTest extends TestCase {
], ],
'guest' 'guest'
); );
$csp = new Http\ContentSecurityPolicy();
$csp->addAllowedFormActionDomain('nc://*');
$expected->setContentSecurityPolicy($csp);
$this->assertEquals($expected, $this->clientFlowLoginController->showAuthPickerPage('MyClientIdentifier')); $this->assertEquals($expected, $this->clientFlowLoginController->showAuthPickerPage('MyClientIdentifier'));
} }