809ff5ac95
Allows to inject something into the default content policy. This is for example useful when you're injecting Javascript code into a view belonging to another controller and cannot modify its Content-Security-Policy itself. Note that the adjustment is only applied to applications that use AppFramework controllers. To use this from your `app.php` use `\OC::$server->getContentSecurityPolicyManager()->addDefaultPolicy($policy)`, $policy has to be of type `\OCP\AppFramework\Http\ContentSecurityPolicy`. To test this add something like the following into an `app.php` of any enabled app: ``` $manager = \OC::$server->getContentSecurityPolicyManager(); $policy = new \OCP\AppFramework\Http\ContentSecurityPolicy(false); $policy->addAllowedFrameDomain('asdf'); $policy->addAllowedScriptDomain('yolo.com'); $policy->allowInlineScript(false); $manager->addDefaultPolicy($policy); $policy = new \OCP\AppFramework\Http\ContentSecurityPolicy(false); $policy->addAllowedFontDomain('yolo.com'); $manager->addDefaultPolicy($policy); $policy = new \OCP\AppFramework\Http\ContentSecurityPolicy(false); $policy->addAllowedFrameDomain('banana.com'); $manager->addDefaultPolicy($policy); ``` If you now open the files app the policy should be: ``` Content-Security-Policy:default-src 'none';script-src yolo.com 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src yolo.com 'self';connect-src 'self';media-src 'self';frame-src asdf banana.com 'self' ```
73 lines
2.3 KiB
PHP
73 lines
2.3 KiB
PHP
<?php
|
|
/**
|
|
* @author Lukas Reschke <lukas@owncloud.com>
|
|
*
|
|
* @copyright Copyright (c) 2016, ownCloud, Inc.
|
|
* @license AGPL-3.0
|
|
*
|
|
* This code is free software: you can redistribute it and/or modify
|
|
* it under the terms of the GNU Affero General Public License, version 3,
|
|
* as published by the Free Software Foundation.
|
|
*
|
|
* This program is distributed in the hope that it will be useful,
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
* GNU Affero General Public License for more details.
|
|
*
|
|
* You should have received a copy of the GNU Affero General Public License, version 3,
|
|
* along with this program. If not, see <http://www.gnu.org/licenses/>
|
|
*
|
|
*/
|
|
|
|
namespace OC\Security\CSP;
|
|
|
|
use OCP\AppFramework\Http\ContentSecurityPolicy;
|
|
use OCP\AppFramework\Http\EmptyContentSecurityPolicy;
|
|
use OCP\Security\IContentSecurityPolicyManager;
|
|
|
|
class ContentSecurityPolicyManager implements IContentSecurityPolicyManager {
|
|
/** @var ContentSecurityPolicy[] */
|
|
private $policies = [];
|
|
|
|
/** {@inheritdoc} */
|
|
public function addDefaultPolicy(EmptyContentSecurityPolicy $policy) {
|
|
$this->policies[] = $policy;
|
|
}
|
|
|
|
/**
|
|
* Get the configured default policy. This is not in the public namespace
|
|
* as it is only supposed to be used by core itself.
|
|
*
|
|
* @return ContentSecurityPolicy
|
|
*/
|
|
public function getDefaultPolicy() {
|
|
$defaultPolicy = new \OC\Security\CSP\ContentSecurityPolicy();
|
|
foreach($this->policies as $policy) {
|
|
$defaultPolicy = $this->mergePolicies($defaultPolicy, $policy);
|
|
}
|
|
return $defaultPolicy;
|
|
}
|
|
|
|
/**
|
|
* Merges the first given policy with the second one
|
|
*
|
|
* @param ContentSecurityPolicy $defaultPolicy
|
|
* @param EmptyContentSecurityPolicy $originalPolicy
|
|
* @return ContentSecurityPolicy
|
|
*/
|
|
public function mergePolicies(ContentSecurityPolicy $defaultPolicy,
|
|
EmptyContentSecurityPolicy $originalPolicy) {
|
|
foreach((object)(array)$originalPolicy as $name => $value) {
|
|
$setter = 'set'.ucfirst($name);
|
|
if(is_array($value)) {
|
|
$getter = 'get'.ucfirst($name);
|
|
$currentValues = is_array($defaultPolicy->$getter()) ? $defaultPolicy->$getter() : [];
|
|
$defaultPolicy->$setter(array_values(array_unique(array_merge($currentValues, $value))));
|
|
} elseif (is_bool($value)) {
|
|
$defaultPolicy->$setter($value);
|
|
}
|
|
}
|
|
|
|
return $defaultPolicy;
|
|
}
|
|
}
|