mirror of
https://github.com/nextcloud/server.git
synced 2026-02-25 02:44:57 -05:00
Merge pull request #38642 from nextcloud/chore/appframework/drop-emptycontentsecuritypolicy-allowinlinescript
chore(appframework)!: Drop \OCP\AppFramework\Http\EmptyContentSecurityPolicy::allowInlineScript
This commit is contained in:
Simon L
GitHub
commit
63bf207ca7
5 changed files with 6 additions and 61 deletions
|
|
@ -37,8 +37,6 @@ namespace OCP\AppFramework\Http;
|
|||
* @since 9.0.0
|
||||
*/
|
||||
class EmptyContentSecurityPolicy {
|
||||
/** @var bool Whether inline JS snippets are allowed */
|
||||
protected $inlineScriptAllowed = null;
|
||||
/** @var string Whether JS nonces should be used */
|
||||
protected $useJsNonce = null;
|
||||
/** @var bool Whether strict-dynamic should be used */
|
||||
|
|
@ -83,18 +81,6 @@ class EmptyContentSecurityPolicy {
|
|||
/** @var array Locations to report violations to */
|
||||
protected $reportTo = null;
|
||||
|
||||
/**
|
||||
* Whether inline JavaScript snippets are allowed or forbidden
|
||||
* @param bool $state
|
||||
* @return $this
|
||||
* @since 8.1.0
|
||||
* @deprecated 10.0 CSP tokens are now used
|
||||
*/
|
||||
public function allowInlineScript($state = false) {
|
||||
$this->inlineScriptAllowed = $state;
|
||||
return $this;
|
||||
}
|
||||
|
||||
/**
|
||||
* @param bool $state
|
||||
* @return EmptyContentSecurityPolicy
|
||||
|
|
@ -447,7 +433,7 @@ class EmptyContentSecurityPolicy {
|
|||
$policy .= "base-uri 'none';";
|
||||
$policy .= "manifest-src 'self';";
|
||||
|
||||
if (!empty($this->allowedScriptDomains) || $this->inlineScriptAllowed || $this->evalScriptAllowed) {
|
||||
if (!empty($this->allowedScriptDomains) || $this->evalScriptAllowed) {
|
||||
$policy .= 'script-src ';
|
||||
if (is_string($this->useJsNonce)) {
|
||||
if ($this->strictDynamicAllowed) {
|
||||
|
|
@ -464,9 +450,6 @@ class EmptyContentSecurityPolicy {
|
|||
if (is_array($this->allowedScriptDomains)) {
|
||||
$policy .= implode(' ', $this->allowedScriptDomains);
|
||||
}
|
||||
if ($this->inlineScriptAllowed) {
|
||||
$policy .= ' \'unsafe-inline\'';
|
||||
}
|
||||
if ($this->evalScriptAllowed) {
|
||||
$policy .= ' \'unsafe-eval\'';
|
||||
}
|
||||
|
|
|
|||
|
|
@ -68,25 +68,9 @@ class ContentSecurityPolicyTest extends \Test\TestCase {
|
|||
$this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
|
||||
}
|
||||
|
||||
public function testGetPolicyScriptAllowInline() {
|
||||
$expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self' 'unsafe-inline';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
|
||||
|
||||
$this->contentSecurityPolicy->allowInlineScript(true);
|
||||
$this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
|
||||
}
|
||||
|
||||
public function testGetPolicyScriptAllowInlineWithDomain() {
|
||||
$expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self' www.owncloud.com 'unsafe-inline';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
|
||||
|
||||
$this->contentSecurityPolicy->addAllowedScriptDomain('www.owncloud.com');
|
||||
$this->contentSecurityPolicy->allowInlineScript(true);
|
||||
$this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
|
||||
}
|
||||
|
||||
public function testGetPolicyScriptDisallowInlineAndEval() {
|
||||
public function testGetPolicyScriptDisallowEval() {
|
||||
$expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'";
|
||||
|
||||
$this->contentSecurityPolicy->allowInlineScript(false);
|
||||
$this->contentSecurityPolicy->allowEvalScript(false);
|
||||
$this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
|
||||
}
|
||||
|
|
|
|||
|
|
@ -68,25 +68,9 @@ class EmptyContentSecurityPolicyTest extends \Test\TestCase {
|
|||
$this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
|
||||
}
|
||||
|
||||
public function testGetPolicyScriptAllowInline() {
|
||||
$expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'unsafe-inline';frame-ancestors 'none'";
|
||||
public function testGetPolicyScriptAllowEval() {
|
||||
$expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'unsafe-eval';frame-ancestors 'none'";
|
||||
|
||||
$this->contentSecurityPolicy->allowInlineScript(true);
|
||||
$this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
|
||||
}
|
||||
|
||||
public function testGetPolicyScriptAllowInlineWithDomain() {
|
||||
$expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src www.owncloud.com 'unsafe-inline';frame-ancestors 'none'";
|
||||
|
||||
$this->contentSecurityPolicy->addAllowedScriptDomain('www.owncloud.com');
|
||||
$this->contentSecurityPolicy->allowInlineScript(true);
|
||||
$this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
|
||||
}
|
||||
|
||||
public function testGetPolicyScriptAllowInlineAndEval() {
|
||||
$expectedPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'unsafe-inline' 'unsafe-eval';frame-ancestors 'none'";
|
||||
|
||||
$this->contentSecurityPolicy->allowInlineScript(true);
|
||||
$this->contentSecurityPolicy->allowEvalScript(true);
|
||||
$this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
|
||||
}
|
||||
|
|
|
|||
|
|
@ -67,7 +67,6 @@ class ResponseTest extends \Test\TestCase {
|
|||
'Content-Security-Policy' => "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self' 'unsafe-inline';style-src 'self' 'unsafe-inline';img-src 'self';font-src 'self' data:;connect-src 'self';media-src 'self'",
|
||||
];
|
||||
$policy = new Http\ContentSecurityPolicy();
|
||||
$policy->allowInlineScript(true);
|
||||
|
||||
$this->childResponse->setContentSecurityPolicy($policy);
|
||||
$headers = $this->childResponse->getHeaders();
|
||||
|
|
@ -77,7 +76,6 @@ class ResponseTest extends \Test\TestCase {
|
|||
|
||||
public function testGetCsp() {
|
||||
$policy = new Http\ContentSecurityPolicy();
|
||||
$policy->allowInlineScript(true);
|
||||
|
||||
$this->childResponse->setContentSecurityPolicy($policy);
|
||||
$this->assertEquals($policy, $this->childResponse->getContentSecurityPolicy());
|
||||
|
|
|
|||
|
|
@ -56,7 +56,6 @@ class ContentSecurityPolicyManagerTest extends TestCase {
|
|||
$policy = new \OCP\AppFramework\Http\ContentSecurityPolicy();
|
||||
$policy->addAllowedFontDomain('example.com');
|
||||
$policy->addAllowedImageDomain('example.org');
|
||||
$policy->allowInlineScript(true);
|
||||
$policy->allowEvalScript(true);
|
||||
$this->contentSecurityPolicyManager->addDefaultPolicy($policy);
|
||||
$policy = new \OCP\AppFramework\Http\EmptyContentSecurityPolicy();
|
||||
|
|
@ -66,7 +65,6 @@ class ContentSecurityPolicyManagerTest extends TestCase {
|
|||
$this->contentSecurityPolicyManager->addDefaultPolicy($policy);
|
||||
|
||||
$expected = new \OC\Security\CSP\ContentSecurityPolicy();
|
||||
$expected->allowInlineScript(true);
|
||||
$expected->allowEvalScript(true);
|
||||
$expected->addAllowedFontDomain('mydomain.com');
|
||||
$expected->addAllowedFontDomain('example.com');
|
||||
|
|
@ -75,7 +73,7 @@ class ContentSecurityPolicyManagerTest extends TestCase {
|
|||
$expected->addAllowedImageDomain('anotherdomain.de');
|
||||
$expected->addAllowedImageDomain('example.org');
|
||||
$expected->addAllowedChildSrcDomain('childdomain');
|
||||
$expectedStringPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self' 'unsafe-inline' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob: anotherdomain.de example.org;font-src 'self' data: mydomain.com example.com anotherFontDomain;connect-src 'self';media-src 'self';child-src childdomain;frame-ancestors 'self';form-action 'self' thirdDomain";
|
||||
$expectedStringPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob: anotherdomain.de example.org;font-src 'self' data: mydomain.com example.com anotherFontDomain;connect-src 'self';media-src 'self';child-src childdomain;frame-ancestors 'self';form-action 'self' thirdDomain";
|
||||
|
||||
$this->assertEquals($expected, $this->contentSecurityPolicyManager->getDefaultPolicy());
|
||||
$this->assertSame($expectedStringPolicy, $this->contentSecurityPolicyManager->getDefaultPolicy()->buildPolicy());
|
||||
|
|
@ -96,7 +94,6 @@ class ContentSecurityPolicyManagerTest extends TestCase {
|
|||
$policy = new \OCP\AppFramework\Http\ContentSecurityPolicy();
|
||||
$policy->addAllowedFontDomain('example.com');
|
||||
$policy->addAllowedImageDomain('example.org');
|
||||
$policy->allowInlineScript(true);
|
||||
$policy->allowEvalScript(false);
|
||||
$e->addPolicy($policy);
|
||||
});
|
||||
|
|
@ -110,7 +107,6 @@ class ContentSecurityPolicyManagerTest extends TestCase {
|
|||
});
|
||||
|
||||
$expected = new \OC\Security\CSP\ContentSecurityPolicy();
|
||||
$expected->allowInlineScript(true);
|
||||
$expected->allowEvalScript(true);
|
||||
$expected->addAllowedFontDomain('mydomain.com');
|
||||
$expected->addAllowedFontDomain('example.com');
|
||||
|
|
@ -120,7 +116,7 @@ class ContentSecurityPolicyManagerTest extends TestCase {
|
|||
$expected->addAllowedChildSrcDomain('childdomain');
|
||||
$expected->addAllowedFormActionDomain('thirdDomain');
|
||||
$expected->useStrictDynamic(true);
|
||||
$expectedStringPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self' 'unsafe-inline' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob: anotherdomain.de example.org;font-src 'self' data: mydomain.com example.com anotherFontDomain;connect-src 'self';media-src 'self';child-src childdomain;frame-ancestors 'self';form-action 'self' thirdDomain";
|
||||
$expectedStringPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob: anotherdomain.de example.org;font-src 'self' data: mydomain.com example.com anotherFontDomain;connect-src 'self';media-src 'self';child-src childdomain;frame-ancestors 'self';form-action 'self' thirdDomain";
|
||||
|
||||
$this->assertEquals($expected, $this->contentSecurityPolicyManager->getDefaultPolicy());
|
||||
$this->assertSame($expectedStringPolicy, $this->contentSecurityPolicyManager->getDefaultPolicy()->buildPolicy());
|
||||
|
|
|
|||
Loading…
Reference in a new issue