From e5a947192852a78c5c61d7e9404a76c42fb37ff5 Mon Sep 17 00:00:00 2001 From: Roeland Jago Douma Date: Mon, 3 Sep 2018 16:47:52 +0200 Subject: [PATCH] Add workerSrc to CSP Fixes #11035 Since the child-src directive is deprecated (we should kill it at some point) we need to have the proper worker-src available Signed-off-by: Roeland Jago Douma --- .../Security/CSP/ContentSecurityPolicy.php | 8 +++++ .../Http/ContentSecurityPolicy.php | 3 ++ .../Http/EmptyContentSecurityPolicy.php | 31 +++++++++++++++++++ 3 files changed, 42 insertions(+) diff --git a/lib/private/Security/CSP/ContentSecurityPolicy.php b/lib/private/Security/CSP/ContentSecurityPolicy.php index 77e20dedf4419..de62b5ee76a2b 100644 --- a/lib/private/Security/CSP/ContentSecurityPolicy.php +++ b/lib/private/Security/CSP/ContentSecurityPolicy.php @@ -213,4 +213,12 @@ public function setAllowedFrameAncestors($allowedFrameAncestors) { $this->allowedFrameAncestors = $allowedFrameAncestors; } + public function getAllowedWorkerSrcDomains(): array { + return $this->allowedWorkerSrcDomains; + } + + public function setAllowedWorkerSrcDomains(array $allowedWorkerSrcDomains) { + $this->allowedWorkerSrcDomains = $allowedWorkerSrcDomains; + } + } diff --git a/lib/public/AppFramework/Http/ContentSecurityPolicy.php b/lib/public/AppFramework/Http/ContentSecurityPolicy.php index c705955bb8a0e..3445e8f8802f2 100644 --- a/lib/public/AppFramework/Http/ContentSecurityPolicy.php +++ b/lib/public/AppFramework/Http/ContentSecurityPolicy.php @@ -91,4 +91,7 @@ class ContentSecurityPolicy extends EmptyContentSecurityPolicy { /** @var array Domains which can embed this Nextcloud instance */ protected $allowedFrameAncestors = []; + + /** @var array Domains from which web-workers can be loaded */ + protected $allowedWorkerSrcDomains = []; } diff --git a/lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php b/lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php index 6397d32cb9c6f..6c766538d81fd 100644 --- a/lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php +++ b/lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php @@ -73,6 +73,8 @@ class EmptyContentSecurityPolicy { protected $allowedChildSrcDomains = null; /** @var array Domains which can embed this Nextcloud instance */ protected $allowedFrameAncestors = null; + /** @var array Domains from which web-workers can be loaded */ + protected $allowedWorkerSrcDomains = null; /** * Whether inline JavaScript snippets are allowed or forbidden @@ -355,6 +357,30 @@ public function disallowFrameAncestorDomain($domain) { return $this; } + /** + * Domain from which workers can be loaded + * + * @param string $domain + * @return $this + * @since 15.0.0 + */ + public function addAllowedWorkerSrcDomain(string $domain) { + $this->allowedWorkerSrcDomains[] = $domain; + return $this; + } + + /** + * Remove domain from which workers can be loaded + * + * @param string $domain + * @return $this + * @since 15.0.0 + */ + public function disallowWorkerSrcDomain(string $domain) { + $this->allowedWorkerSrcDomains[] = array_diff($this->allowedWorkerSrcDomains, [$domain]); + return $this; + } + /** * Get the generated Content-Security-Policy as a string * @return string @@ -439,6 +465,11 @@ public function buildPolicy() { $policy .= ';'; } + if (!empty($this->allowedWorkerSrcDomains)) { + $policy .= 'worker-src ' . implode(' ', $this->allowedWorkerSrcDomains); + $policy .= ';'; + } + return rtrim($policy, ';'); } }