ContentSecurityPolicyNonceManager.php 2.4 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293
  1. <?php
  2. declare(strict_types=1);
  3. /**
  4. * @copyright Copyright (c) 2016 Lukas Reschke <lukas@statuscode.ch>
  5. *
  6. * @author Christoph Wurst <christoph@winzerhof-wurst.at>
  7. * @author Joas Schilling <coding@schilljs.com>
  8. * @author Lukas Reschke <lukas@statuscode.ch>
  9. * @author Pavel Krasikov <klonishe@gmail.com>
  10. * @author Roeland Jago Douma <roeland@famdouma.nl>
  11. * @author Sam Bull <aa6bs0@sambull.org>
  12. *
  13. * @license GNU AGPL version 3 or any later version
  14. *
  15. * This program is free software: you can redistribute it and/or modify
  16. * it under the terms of the GNU Affero General Public License as
  17. * published by the Free Software Foundation, either version 3 of the
  18. * License, or (at your option) any later version.
  19. *
  20. * This program is distributed in the hope that it will be useful,
  21. * but WITHOUT ANY WARRANTY; without even the implied warranty of
  22. * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  23. * GNU Affero General Public License for more details.
  24. *
  25. * You should have received a copy of the GNU Affero General Public License
  26. * along with this program. If not, see <http://www.gnu.org/licenses/>.
  27. *
  28. */
  29. namespace OC\Security\CSP;
  30. use OC\AppFramework\Http\Request;
  31. use OC\Security\CSRF\CsrfTokenManager;
  32. use OCP\IRequest;
  33. /**
  34. * @package OC\Security\CSP
  35. */
  36. class ContentSecurityPolicyNonceManager {
  37. /** @var CsrfTokenManager */
  38. private $csrfTokenManager;
  39. /** @var IRequest */
  40. private $request;
  41. /** @var string */
  42. private $nonce = '';
  43. /**
  44. * @param CsrfTokenManager $csrfTokenManager
  45. * @param IRequest $request
  46. */
  47. public function __construct(CsrfTokenManager $csrfTokenManager,
  48. IRequest $request) {
  49. $this->csrfTokenManager = $csrfTokenManager;
  50. $this->request = $request;
  51. }
  52. /**
  53. * Returns the current CSP nounce
  54. *
  55. * @return string
  56. */
  57. public function getNonce(): string {
  58. if ($this->nonce === '') {
  59. if (empty($this->request->server['CSP_NONCE'])) {
  60. $this->nonce = base64_encode($this->csrfTokenManager->getToken()->getEncryptedValue());
  61. } else {
  62. $this->nonce = $this->request->server['CSP_NONCE'];
  63. }
  64. }
  65. return $this->nonce;
  66. }
  67. /**
  68. * Check if the browser supports CSP v3
  69. *
  70. * @return bool
  71. */
  72. public function browserSupportsCspV3(): bool {
  73. $browserWhitelist = [
  74. Request::USER_AGENT_CHROME,
  75. Request::USER_AGENT_FIREFOX,
  76. Request::USER_AGENT_SAFARI,
  77. ];
  78. if ($this->request->isUserAgent($browserWhitelist)) {
  79. return true;
  80. }
  81. return false;
  82. }
  83. }