EmptyContentSecurityPolicy.php 14 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501
  1. <?php
  2. /**
  3. * @copyright Copyright (c) 2016, ownCloud, Inc.
  4. *
  5. * @author Lukas Reschke <lukas@statuscode.ch>
  6. * @author Pierre Rudloff <contact@rudloff.pro>
  7. * @author Roeland Jago Douma <roeland@famdouma.nl>
  8. * @author Thomas Citharel <tcit@tcit.fr>
  9. *
  10. * @license AGPL-3.0
  11. *
  12. * This code is free software: you can redistribute it and/or modify
  13. * it under the terms of the GNU Affero General Public License, version 3,
  14. * as published by the Free Software Foundation.
  15. *
  16. * This program is distributed in the hope that it will be useful,
  17. * but WITHOUT ANY WARRANTY; without even the implied warranty of
  18. * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  19. * GNU Affero General Public License for more details.
  20. *
  21. * You should have received a copy of the GNU Affero General Public License, version 3,
  22. * along with this program. If not, see <http://www.gnu.org/licenses/>
  23. *
  24. */
  25. namespace OCP\AppFramework\Http;
  26. /**
  27. * Class EmptyContentSecurityPolicy is a simple helper which allows applications
  28. * to modify the Content-Security-Policy sent by ownCloud. Per default the policy
  29. * is forbidding everything.
  30. *
  31. * As alternative with sane exemptions look at ContentSecurityPolicy
  32. *
  33. * @see \OCP\AppFramework\Http\ContentSecurityPolicy
  34. * @package OCP\AppFramework\Http
  35. * @since 9.0.0
  36. */
  37. class EmptyContentSecurityPolicy {
  38. /** @var bool Whether inline JS snippets are allowed */
  39. protected $inlineScriptAllowed = null;
  40. /** @var string Whether JS nonces should be used */
  41. protected $useJsNonce = null;
  42. /**
  43. * @var bool Whether eval in JS scripts is allowed
  44. * TODO: Disallow per default
  45. * @link https://github.com/owncloud/core/issues/11925
  46. */
  47. protected $evalScriptAllowed = null;
  48. /** @var array Domains from which scripts can get loaded */
  49. protected $allowedScriptDomains = null;
  50. /**
  51. * @var bool Whether inline CSS is allowed
  52. * TODO: Disallow per default
  53. * @link https://github.com/owncloud/core/issues/13458
  54. */
  55. protected $inlineStyleAllowed = null;
  56. /** @var array Domains from which CSS can get loaded */
  57. protected $allowedStyleDomains = null;
  58. /** @var array Domains from which images can get loaded */
  59. protected $allowedImageDomains = null;
  60. /** @var array Domains to which connections can be done */
  61. protected $allowedConnectDomains = null;
  62. /** @var array Domains from which media elements can be loaded */
  63. protected $allowedMediaDomains = null;
  64. /** @var array Domains from which object elements can be loaded */
  65. protected $allowedObjectDomains = null;
  66. /** @var array Domains from which iframes can be loaded */
  67. protected $allowedFrameDomains = null;
  68. /** @var array Domains from which fonts can be loaded */
  69. protected $allowedFontDomains = null;
  70. /** @var array Domains from which web-workers and nested browsing content can load elements */
  71. protected $allowedChildSrcDomains = null;
  72. /** @var array Domains which can embed this Nextcloud instance */
  73. protected $allowedFrameAncestors = null;
  74. /** @var array Domains from which web-workers can be loaded */
  75. protected $allowedWorkerSrcDomains = null;
  76. /** @var array Locations to report violations to */
  77. protected $reportTo = null;
  78. /**
  79. * Whether inline JavaScript snippets are allowed or forbidden
  80. * @param bool $state
  81. * @return $this
  82. * @since 8.1.0
  83. * @deprecated 10.0 CSP tokens are now used
  84. */
  85. public function allowInlineScript($state = false) {
  86. $this->inlineScriptAllowed = $state;
  87. return $this;
  88. }
  89. /**
  90. * Use the according JS nonce
  91. *
  92. * @param string $nonce
  93. * @return $this
  94. * @since 11.0.0
  95. */
  96. public function useJsNonce($nonce) {
  97. $this->useJsNonce = $nonce;
  98. return $this;
  99. }
  100. /**
  101. * Whether eval in JavaScript is allowed or forbidden
  102. * @param bool $state
  103. * @return $this
  104. * @since 8.1.0
  105. */
  106. public function allowEvalScript($state = true) {
  107. $this->evalScriptAllowed = $state;
  108. return $this;
  109. }
  110. /**
  111. * Allows to execute JavaScript files from a specific domain. Use * to
  112. * allow JavaScript from all domains.
  113. * @param string $domain Domain to whitelist. Any passed value needs to be properly sanitized.
  114. * @return $this
  115. * @since 8.1.0
  116. */
  117. public function addAllowedScriptDomain($domain) {
  118. $this->allowedScriptDomains[] = $domain;
  119. return $this;
  120. }
  121. /**
  122. * Remove the specified allowed script domain from the allowed domains.
  123. *
  124. * @param string $domain
  125. * @return $this
  126. * @since 8.1.0
  127. */
  128. public function disallowScriptDomain($domain) {
  129. $this->allowedScriptDomains = array_diff($this->allowedScriptDomains, [$domain]);
  130. return $this;
  131. }
  132. /**
  133. * Whether inline CSS snippets are allowed or forbidden
  134. * @param bool $state
  135. * @return $this
  136. * @since 8.1.0
  137. */
  138. public function allowInlineStyle($state = true) {
  139. $this->inlineStyleAllowed = $state;
  140. return $this;
  141. }
  142. /**
  143. * Allows to execute CSS files from a specific domain. Use * to allow
  144. * CSS from all domains.
  145. * @param string $domain Domain to whitelist. Any passed value needs to be properly sanitized.
  146. * @return $this
  147. * @since 8.1.0
  148. */
  149. public function addAllowedStyleDomain($domain) {
  150. $this->allowedStyleDomains[] = $domain;
  151. return $this;
  152. }
  153. /**
  154. * Remove the specified allowed style domain from the allowed domains.
  155. *
  156. * @param string $domain
  157. * @return $this
  158. * @since 8.1.0
  159. */
  160. public function disallowStyleDomain($domain) {
  161. $this->allowedStyleDomains = array_diff($this->allowedStyleDomains, [$domain]);
  162. return $this;
  163. }
  164. /**
  165. * Allows using fonts from a specific domain. Use * to allow
  166. * fonts from all domains.
  167. * @param string $domain Domain to whitelist. Any passed value needs to be properly sanitized.
  168. * @return $this
  169. * @since 8.1.0
  170. */
  171. public function addAllowedFontDomain($domain) {
  172. $this->allowedFontDomains[] = $domain;
  173. return $this;
  174. }
  175. /**
  176. * Remove the specified allowed font domain from the allowed domains.
  177. *
  178. * @param string $domain
  179. * @return $this
  180. * @since 8.1.0
  181. */
  182. public function disallowFontDomain($domain) {
  183. $this->allowedFontDomains = array_diff($this->allowedFontDomains, [$domain]);
  184. return $this;
  185. }
  186. /**
  187. * Allows embedding images from a specific domain. Use * to allow
  188. * images from all domains.
  189. * @param string $domain Domain to whitelist. Any passed value needs to be properly sanitized.
  190. * @return $this
  191. * @since 8.1.0
  192. */
  193. public function addAllowedImageDomain($domain) {
  194. $this->allowedImageDomains[] = $domain;
  195. return $this;
  196. }
  197. /**
  198. * Remove the specified allowed image domain from the allowed domains.
  199. *
  200. * @param string $domain
  201. * @return $this
  202. * @since 8.1.0
  203. */
  204. public function disallowImageDomain($domain) {
  205. $this->allowedImageDomains = array_diff($this->allowedImageDomains, [$domain]);
  206. return $this;
  207. }
  208. /**
  209. * To which remote domains the JS connect to.
  210. * @param string $domain Domain to whitelist. Any passed value needs to be properly sanitized.
  211. * @return $this
  212. * @since 8.1.0
  213. */
  214. public function addAllowedConnectDomain($domain) {
  215. $this->allowedConnectDomains[] = $domain;
  216. return $this;
  217. }
  218. /**
  219. * Remove the specified allowed connect domain from the allowed domains.
  220. *
  221. * @param string $domain
  222. * @return $this
  223. * @since 8.1.0
  224. */
  225. public function disallowConnectDomain($domain) {
  226. $this->allowedConnectDomains = array_diff($this->allowedConnectDomains, [$domain]);
  227. return $this;
  228. }
  229. /**
  230. * From which domains media elements can be embedded.
  231. * @param string $domain Domain to whitelist. Any passed value needs to be properly sanitized.
  232. * @return $this
  233. * @since 8.1.0
  234. */
  235. public function addAllowedMediaDomain($domain) {
  236. $this->allowedMediaDomains[] = $domain;
  237. return $this;
  238. }
  239. /**
  240. * Remove the specified allowed media domain from the allowed domains.
  241. *
  242. * @param string $domain
  243. * @return $this
  244. * @since 8.1.0
  245. */
  246. public function disallowMediaDomain($domain) {
  247. $this->allowedMediaDomains = array_diff($this->allowedMediaDomains, [$domain]);
  248. return $this;
  249. }
  250. /**
  251. * From which domains objects such as <object>, <embed> or <applet> are executed
  252. * @param string $domain Domain to whitelist. Any passed value needs to be properly sanitized.
  253. * @return $this
  254. * @since 8.1.0
  255. */
  256. public function addAllowedObjectDomain($domain) {
  257. $this->allowedObjectDomains[] = $domain;
  258. return $this;
  259. }
  260. /**
  261. * Remove the specified allowed object domain from the allowed domains.
  262. *
  263. * @param string $domain
  264. * @return $this
  265. * @since 8.1.0
  266. */
  267. public function disallowObjectDomain($domain) {
  268. $this->allowedObjectDomains = array_diff($this->allowedObjectDomains, [$domain]);
  269. return $this;
  270. }
  271. /**
  272. * Which domains can be embedded in an iframe
  273. * @param string $domain Domain to whitelist. Any passed value needs to be properly sanitized.
  274. * @return $this
  275. * @since 8.1.0
  276. */
  277. public function addAllowedFrameDomain($domain) {
  278. $this->allowedFrameDomains[] = $domain;
  279. return $this;
  280. }
  281. /**
  282. * Remove the specified allowed frame domain from the allowed domains.
  283. *
  284. * @param string $domain
  285. * @return $this
  286. * @since 8.1.0
  287. */
  288. public function disallowFrameDomain($domain) {
  289. $this->allowedFrameDomains = array_diff($this->allowedFrameDomains, [$domain]);
  290. return $this;
  291. }
  292. /**
  293. * Domains from which web-workers and nested browsing content can load elements
  294. * @param string $domain Domain to whitelist. Any passed value needs to be properly sanitized.
  295. * @return $this
  296. * @since 8.1.0
  297. * @deprecated 15.0.0 use addAllowedWorkerSrcDomains or addAllowedFrameDomain
  298. */
  299. public function addAllowedChildSrcDomain($domain) {
  300. $this->allowedChildSrcDomains[] = $domain;
  301. return $this;
  302. }
  303. /**
  304. * Remove the specified allowed child src domain from the allowed domains.
  305. *
  306. * @param string $domain
  307. * @return $this
  308. * @since 8.1.0
  309. * @deprecated 15.0.0 use the WorkerSrcDomains or FrameDomain
  310. */
  311. public function disallowChildSrcDomain($domain) {
  312. $this->allowedChildSrcDomains = array_diff($this->allowedChildSrcDomains, [$domain]);
  313. return $this;
  314. }
  315. /**
  316. * Domains which can embed an iFrame of the Nextcloud instance
  317. *
  318. * @param string $domain
  319. * @return $this
  320. * @since 13.0.0
  321. */
  322. public function addAllowedFrameAncestorDomain($domain) {
  323. $this->allowedFrameAncestors[] = $domain;
  324. return $this;
  325. }
  326. /**
  327. * Domains which can embed an iFrame of the Nextcloud instance
  328. *
  329. * @param string $domain
  330. * @return $this
  331. * @since 13.0.0
  332. */
  333. public function disallowFrameAncestorDomain($domain) {
  334. $this->allowedFrameAncestors = array_diff($this->allowedFrameAncestors, [$domain]);
  335. return $this;
  336. }
  337. /**
  338. * Domain from which workers can be loaded
  339. *
  340. * @param string $domain
  341. * @return $this
  342. * @since 15.0.0
  343. */
  344. public function addAllowedWorkerSrcDomain(string $domain) {
  345. $this->allowedWorkerSrcDomains[] = $domain;
  346. return $this;
  347. }
  348. /**
  349. * Remove domain from which workers can be loaded
  350. *
  351. * @param string $domain
  352. * @return $this
  353. * @since 15.0.0
  354. */
  355. public function disallowWorkerSrcDomain(string $domain) {
  356. $this->allowedWorkerSrcDomains = array_diff($this->allowedWorkerSrcDomains, [$domain]);
  357. return $this;
  358. }
  359. /**
  360. * Add location to report CSP violations to
  361. *
  362. * @param string $location
  363. * @return $this
  364. * @since 15.0.0
  365. */
  366. public function addReportTo(string $location) {
  367. $this->reportTo[] = $location;
  368. return $this;
  369. }
  370. /**
  371. * Get the generated Content-Security-Policy as a string
  372. * @return string
  373. * @since 8.1.0
  374. */
  375. public function buildPolicy() {
  376. $policy = "default-src 'none';";
  377. $policy .= "base-uri 'none';";
  378. $policy .= "manifest-src 'self';";
  379. if(!empty($this->allowedScriptDomains) || $this->inlineScriptAllowed || $this->evalScriptAllowed) {
  380. $policy .= 'script-src ';
  381. if(is_string($this->useJsNonce)) {
  382. $policy .= '\'nonce-'.base64_encode($this->useJsNonce).'\'';
  383. $allowedScriptDomains = array_flip($this->allowedScriptDomains);
  384. unset($allowedScriptDomains['\'self\'']);
  385. $this->allowedScriptDomains = array_flip($allowedScriptDomains);
  386. if(count($allowedScriptDomains) !== 0) {
  387. $policy .= ' ';
  388. }
  389. }
  390. if(is_array($this->allowedScriptDomains)) {
  391. $policy .= implode(' ', $this->allowedScriptDomains);
  392. }
  393. if($this->inlineScriptAllowed) {
  394. $policy .= ' \'unsafe-inline\'';
  395. }
  396. if($this->evalScriptAllowed) {
  397. $policy .= ' \'unsafe-eval\'';
  398. }
  399. $policy .= ';';
  400. }
  401. if(!empty($this->allowedStyleDomains) || $this->inlineStyleAllowed) {
  402. $policy .= 'style-src ';
  403. if(is_array($this->allowedStyleDomains)) {
  404. $policy .= implode(' ', $this->allowedStyleDomains);
  405. }
  406. if($this->inlineStyleAllowed) {
  407. $policy .= ' \'unsafe-inline\'';
  408. }
  409. $policy .= ';';
  410. }
  411. if(!empty($this->allowedImageDomains)) {
  412. $policy .= 'img-src ' . implode(' ', $this->allowedImageDomains);
  413. $policy .= ';';
  414. }
  415. if(!empty($this->allowedFontDomains)) {
  416. $policy .= 'font-src ' . implode(' ', $this->allowedFontDomains);
  417. $policy .= ';';
  418. }
  419. if(!empty($this->allowedConnectDomains)) {
  420. $policy .= 'connect-src ' . implode(' ', $this->allowedConnectDomains);
  421. $policy .= ';';
  422. }
  423. if(!empty($this->allowedMediaDomains)) {
  424. $policy .= 'media-src ' . implode(' ', $this->allowedMediaDomains);
  425. $policy .= ';';
  426. }
  427. if(!empty($this->allowedObjectDomains)) {
  428. $policy .= 'object-src ' . implode(' ', $this->allowedObjectDomains);
  429. $policy .= ';';
  430. }
  431. if(!empty($this->allowedFrameDomains)) {
  432. $policy .= 'frame-src ';
  433. if(is_string($this->useJsNonce)) {
  434. $policy .= '\'nonce-' . base64_encode($this->useJsNonce) . '\' ';
  435. }
  436. $policy .= implode(' ', $this->allowedFrameDomains);
  437. $policy .= ';';
  438. }
  439. if(!empty($this->allowedChildSrcDomains)) {
  440. $policy .= 'child-src ' . implode(' ', $this->allowedChildSrcDomains);
  441. $policy .= ';';
  442. }
  443. if(!empty($this->allowedFrameAncestors)) {
  444. $policy .= 'frame-ancestors ' . implode(' ', $this->allowedFrameAncestors);
  445. $policy .= ';';
  446. }
  447. if (!empty($this->allowedWorkerSrcDomains)) {
  448. $policy .= 'worker-src ' . implode(' ', $this->allowedWorkerSrcDomains);
  449. $policy .= ';';
  450. }
  451. if (!empty($this->reportTo)) {
  452. $policy .= 'report-uri ' . implode(' ', $this->reportTo);
  453. $policy .= ';';
  454. }
  455. return rtrim($policy, ';');
  456. }
  457. }