Employ a stricter Content Security Policy on remote.php

Items sent by remote.php have not to be interpreted by browsers in any way.
This commit is contained in:
Lukas Reschke 2016-04-12 13:30:37 +02:00
parent 16df1c5188
commit 0cba1ba7f9
No known key found for this signature in database
GPG key ID: 9AB0ADB949B6898C
2 changed files with 7 additions and 2 deletions

View file

@ -74,7 +74,7 @@ Feature: webdav-related
When Downloading file "/welcome.txt" When Downloading file "/welcome.txt"
Then The following headers should be set Then The following headers should be set
|Content-Disposition|attachment| |Content-Disposition|attachment|
|Content-Security-Policy|default-src 'self'; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; frame-src *; img-src * data: blob:; font-src 'self' data:; media-src *; connect-src *| |Content-Security-Policy|default-src 'none';|
|X-Content-Type-Options |nosniff| |X-Content-Type-Options |nosniff|
|X-Download-Options|noopen| |X-Download-Options|noopen|
|X-Frame-Options|Sameorigin| |X-Frame-Options|Sameorigin|
@ -89,7 +89,7 @@ Feature: webdav-related
When Downloading file "/welcome.txt" When Downloading file "/welcome.txt"
Then The following headers should be set Then The following headers should be set
|Content-Disposition|attachment| |Content-Disposition|attachment|
|Content-Security-Policy|default-src 'self'; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; frame-src *; img-src * data: blob:; font-src 'self' data:; media-src *; connect-src *| |Content-Security-Policy|default-src 'none';|
|X-Content-Type-Options |nosniff| |X-Content-Type-Options |nosniff|
|X-Download-Options|noopen| |X-Download-Options|noopen|
|X-Frame-Options|Sameorigin| |X-Frame-Options|Sameorigin|

View file

@ -108,6 +108,11 @@ function resolveService($service) {
try { try {
require_once 'lib/base.php'; require_once 'lib/base.php';
// All resources served via the DAV endpoint should have the strictest possible
// policy. Exempted from this is the SabreDAV browser plugin which overwrites
// this policy with a softer one if debug mode is enabled.
header("Content-Security-Policy: default-src 'none';");
if (\OCP\Util::needUpgrade()) { if (\OCP\Util::needUpgrade()) {
// since the behavior of apps or remotes are unpredictable during // since the behavior of apps or remotes are unpredictable during
// an upgrade, return a 503 directly // an upgrade, return a 503 directly