Merge pull request #11040 from nextcloud/feature/11035/worker-src
Add worker-src to CSP
This commit is contained in:
commit
52012be4fa
3 changed files with 46 additions and 0 deletions
|
@ -187,6 +187,7 @@ class ContentSecurityPolicy extends \OCP\AppFramework\Http\ContentSecurityPolicy
|
|||
|
||||
/**
|
||||
* @return array
|
||||
* @deprecated 15.0.0 use FrameDomains and WorkerSrcDomains
|
||||
*/
|
||||
public function getAllowedChildSrcDomains(): array {
|
||||
return $this->allowedChildSrcDomains;
|
||||
|
@ -194,6 +195,7 @@ class ContentSecurityPolicy extends \OCP\AppFramework\Http\ContentSecurityPolicy
|
|||
|
||||
/**
|
||||
* @param array $allowedChildSrcDomains
|
||||
* @deprecated 15.0.0 use FrameDomains and WorkerSrcDomains
|
||||
*/
|
||||
public function setAllowedChildSrcDomains($allowedChildSrcDomains) {
|
||||
$this->allowedChildSrcDomains = $allowedChildSrcDomains;
|
||||
|
@ -213,4 +215,12 @@ class ContentSecurityPolicy extends \OCP\AppFramework\Http\ContentSecurityPolicy
|
|||
$this->allowedFrameAncestors = $allowedFrameAncestors;
|
||||
}
|
||||
|
||||
public function getAllowedWorkerSrcDomains(): array {
|
||||
return $this->allowedWorkerSrcDomains;
|
||||
}
|
||||
|
||||
public function setAllowedWorkerSrcDomains(array $allowedWorkerSrcDomains) {
|
||||
$this->allowedWorkerSrcDomains = $allowedWorkerSrcDomains;
|
||||
}
|
||||
|
||||
}
|
||||
|
|
|
@ -91,4 +91,7 @@ class ContentSecurityPolicy extends EmptyContentSecurityPolicy {
|
|||
|
||||
/** @var array Domains which can embed this Nextcloud instance */
|
||||
protected $allowedFrameAncestors = [];
|
||||
|
||||
/** @var array Domains from which web-workers can be loaded */
|
||||
protected $allowedWorkerSrcDomains = [];
|
||||
}
|
||||
|
|
|
@ -73,6 +73,8 @@ class EmptyContentSecurityPolicy {
|
|||
protected $allowedChildSrcDomains = null;
|
||||
/** @var array Domains which can embed this Nextcloud instance */
|
||||
protected $allowedFrameAncestors = null;
|
||||
/** @var array Domains from which web-workers can be loaded */
|
||||
protected $allowedWorkerSrcDomains = null;
|
||||
|
||||
/**
|
||||
* Whether inline JavaScript snippets are allowed or forbidden
|
||||
|
@ -313,6 +315,7 @@ class EmptyContentSecurityPolicy {
|
|||
* @param string $domain Domain to whitelist. Any passed value needs to be properly sanitized.
|
||||
* @return $this
|
||||
* @since 8.1.0
|
||||
* @deprecated 15.0.0 use addAllowedWorkerSrcDomains or addAllowedFrameDomain
|
||||
*/
|
||||
public function addAllowedChildSrcDomain($domain) {
|
||||
$this->allowedChildSrcDomains[] = $domain;
|
||||
|
@ -325,6 +328,7 @@ class EmptyContentSecurityPolicy {
|
|||
* @param string $domain
|
||||
* @return $this
|
||||
* @since 8.1.0
|
||||
* @deprecated 15.0.0 use the WorkerSrcDomains or FrameDomain
|
||||
*/
|
||||
public function disallowChildSrcDomain($domain) {
|
||||
$this->allowedChildSrcDomains = array_diff($this->allowedChildSrcDomains, [$domain]);
|
||||
|
@ -355,6 +359,30 @@ class EmptyContentSecurityPolicy {
|
|||
return $this;
|
||||
}
|
||||
|
||||
/**
|
||||
* Domain from which workers can be loaded
|
||||
*
|
||||
* @param string $domain
|
||||
* @return $this
|
||||
* @since 15.0.0
|
||||
*/
|
||||
public function addAllowedWorkerSrcDomain(string $domain) {
|
||||
$this->allowedWorkerSrcDomains[] = $domain;
|
||||
return $this;
|
||||
}
|
||||
|
||||
/**
|
||||
* Remove domain from which workers can be loaded
|
||||
*
|
||||
* @param string $domain
|
||||
* @return $this
|
||||
* @since 15.0.0
|
||||
*/
|
||||
public function disallowWorkerSrcDomain(string $domain) {
|
||||
$this->allowedWorkerSrcDomains = array_diff($this->allowedWorkerSrcDomains, [$domain]);
|
||||
return $this;
|
||||
}
|
||||
|
||||
/**
|
||||
* Get the generated Content-Security-Policy as a string
|
||||
* @return string
|
||||
|
@ -439,6 +467,11 @@ class EmptyContentSecurityPolicy {
|
|||
$policy .= ';';
|
||||
}
|
||||
|
||||
if (!empty($this->allowedWorkerSrcDomains)) {
|
||||
$policy .= 'worker-src ' . implode(' ', $this->allowedWorkerSrcDomains);
|
||||
$policy .= ';';
|
||||
}
|
||||
|
||||
return rtrim($policy, ';');
|
||||
}
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue