EmptyContentSecurityPolicy.php 15 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549
  1. <?php
  2. /**
  3. * SPDX-FileCopyrightText: 2016-2024 Nextcloud GmbH and Nextcloud contributors
  4. * SPDX-FileCopyrightText: 2016 ownCloud, Inc.
  5. * SPDX-License-Identifier: AGPL-3.0-only
  6. */
  7. namespace OCP\AppFramework\Http;
  8. /**
  9. * Class EmptyContentSecurityPolicy is a simple helper which allows applications
  10. * to modify the Content-Security-Policy sent by Nexcloud. Per default the policy
  11. * is forbidding everything.
  12. *
  13. * As alternative with sane exemptions look at ContentSecurityPolicy
  14. *
  15. * @see \OCP\AppFramework\Http\ContentSecurityPolicy
  16. * @since 9.0.0
  17. */
  18. class EmptyContentSecurityPolicy {
  19. /** @var ?string JS nonce to be used */
  20. protected ?string $jsNonce = null;
  21. /** @var bool Whether strict-dynamic should be used */
  22. protected $strictDynamicAllowed = null;
  23. /** @var bool Whether strict-dynamic should be used on script-src-elem */
  24. protected $strictDynamicAllowedOnScripts = null;
  25. /**
  26. * @var bool Whether eval in JS scripts is allowed
  27. * TODO: Disallow per default
  28. * @link https://github.com/owncloud/core/issues/11925
  29. */
  30. protected $evalScriptAllowed = null;
  31. /** @var bool Whether WebAssembly compilation is allowed */
  32. protected ?bool $evalWasmAllowed = null;
  33. /** @var array Domains from which scripts can get loaded */
  34. protected $allowedScriptDomains = null;
  35. /**
  36. * @var bool Whether inline CSS is allowed
  37. * TODO: Disallow per default
  38. * @link https://github.com/owncloud/core/issues/13458
  39. */
  40. protected $inlineStyleAllowed = null;
  41. /** @var array Domains from which CSS can get loaded */
  42. protected $allowedStyleDomains = null;
  43. /** @var array Domains from which images can get loaded */
  44. protected $allowedImageDomains = null;
  45. /** @var array Domains to which connections can be done */
  46. protected $allowedConnectDomains = null;
  47. /** @var array Domains from which media elements can be loaded */
  48. protected $allowedMediaDomains = null;
  49. /** @var array Domains from which object elements can be loaded */
  50. protected $allowedObjectDomains = null;
  51. /** @var array Domains from which iframes can be loaded */
  52. protected $allowedFrameDomains = null;
  53. /** @var array Domains from which fonts can be loaded */
  54. protected $allowedFontDomains = null;
  55. /** @var array Domains from which web-workers and nested browsing content can load elements */
  56. protected $allowedChildSrcDomains = null;
  57. /** @var array Domains which can embed this Nextcloud instance */
  58. protected $allowedFrameAncestors = null;
  59. /** @var array Domains from which web-workers can be loaded */
  60. protected $allowedWorkerSrcDomains = null;
  61. /** @var array Domains which can be used as target for forms */
  62. protected $allowedFormActionDomains = null;
  63. /** @var array Locations to report violations to */
  64. protected $reportTo = null;
  65. /**
  66. * @param bool $state
  67. * @return EmptyContentSecurityPolicy
  68. * @since 24.0.0
  69. */
  70. public function useStrictDynamic(bool $state = false): self {
  71. $this->strictDynamicAllowed = $state;
  72. return $this;
  73. }
  74. /**
  75. * In contrast to `useStrictDynamic` this only sets strict-dynamic on script-src-elem
  76. * Meaning only grants trust to all imports of scripts that were loaded in `<script>` tags, and thus weakens less the CSP.
  77. * @param bool $state
  78. * @return EmptyContentSecurityPolicy
  79. * @since 28.0.0
  80. */
  81. public function useStrictDynamicOnScripts(bool $state = false): self {
  82. $this->strictDynamicAllowedOnScripts = $state;
  83. return $this;
  84. }
  85. /**
  86. * Use the according JS nonce
  87. * This method is only for CSPMiddleware, custom values are ignored in mergePolicies of ContentSecurityPolicyManager
  88. *
  89. * @param string $nonce
  90. * @return $this
  91. * @since 11.0.0
  92. */
  93. public function useJsNonce($nonce) {
  94. $this->jsNonce = $nonce;
  95. return $this;
  96. }
  97. /**
  98. * Whether eval in JavaScript is allowed or forbidden
  99. * @param bool $state
  100. * @return $this
  101. * @since 8.1.0
  102. * @deprecated Eval should not be used anymore. Please update your scripts. This function will stop functioning in a future version of Nextcloud.
  103. */
  104. public function allowEvalScript($state = true) {
  105. $this->evalScriptAllowed = $state;
  106. return $this;
  107. }
  108. /**
  109. * Whether WebAssembly compilation is allowed or forbidden
  110. * @param bool $state
  111. * @return $this
  112. * @since 28.0.0
  113. */
  114. public function allowEvalWasm(bool $state = true) {
  115. $this->evalWasmAllowed = $state;
  116. return $this;
  117. }
  118. /**
  119. * Allows to execute JavaScript files from a specific domain. Use * to
  120. * allow JavaScript from all domains.
  121. * @param string $domain Domain to whitelist. Any passed value needs to be properly sanitized.
  122. * @return $this
  123. * @since 8.1.0
  124. */
  125. public function addAllowedScriptDomain($domain) {
  126. $this->allowedScriptDomains[] = $domain;
  127. return $this;
  128. }
  129. /**
  130. * Remove the specified allowed script domain from the allowed domains.
  131. *
  132. * @param string $domain
  133. * @return $this
  134. * @since 8.1.0
  135. */
  136. public function disallowScriptDomain($domain) {
  137. $this->allowedScriptDomains = array_diff($this->allowedScriptDomains, [$domain]);
  138. return $this;
  139. }
  140. /**
  141. * Whether inline CSS snippets are allowed or forbidden
  142. * @param bool $state
  143. * @return $this
  144. * @since 8.1.0
  145. */
  146. public function allowInlineStyle($state = true) {
  147. $this->inlineStyleAllowed = $state;
  148. return $this;
  149. }
  150. /**
  151. * Allows to execute CSS files from a specific domain. Use * to allow
  152. * CSS from all domains.
  153. * @param string $domain Domain to whitelist. Any passed value needs to be properly sanitized.
  154. * @return $this
  155. * @since 8.1.0
  156. */
  157. public function addAllowedStyleDomain($domain) {
  158. $this->allowedStyleDomains[] = $domain;
  159. return $this;
  160. }
  161. /**
  162. * Remove the specified allowed style domain from the allowed domains.
  163. *
  164. * @param string $domain
  165. * @return $this
  166. * @since 8.1.0
  167. */
  168. public function disallowStyleDomain($domain) {
  169. $this->allowedStyleDomains = array_diff($this->allowedStyleDomains, [$domain]);
  170. return $this;
  171. }
  172. /**
  173. * Allows using fonts from a specific domain. Use * to allow
  174. * fonts from all domains.
  175. * @param string $domain Domain to whitelist. Any passed value needs to be properly sanitized.
  176. * @return $this
  177. * @since 8.1.0
  178. */
  179. public function addAllowedFontDomain($domain) {
  180. $this->allowedFontDomains[] = $domain;
  181. return $this;
  182. }
  183. /**
  184. * Remove the specified allowed font domain from the allowed domains.
  185. *
  186. * @param string $domain
  187. * @return $this
  188. * @since 8.1.0
  189. */
  190. public function disallowFontDomain($domain) {
  191. $this->allowedFontDomains = array_diff($this->allowedFontDomains, [$domain]);
  192. return $this;
  193. }
  194. /**
  195. * Allows embedding images from a specific domain. Use * to allow
  196. * images from all domains.
  197. * @param string $domain Domain to whitelist. Any passed value needs to be properly sanitized.
  198. * @return $this
  199. * @since 8.1.0
  200. */
  201. public function addAllowedImageDomain($domain) {
  202. $this->allowedImageDomains[] = $domain;
  203. return $this;
  204. }
  205. /**
  206. * Remove the specified allowed image domain from the allowed domains.
  207. *
  208. * @param string $domain
  209. * @return $this
  210. * @since 8.1.0
  211. */
  212. public function disallowImageDomain($domain) {
  213. $this->allowedImageDomains = array_diff($this->allowedImageDomains, [$domain]);
  214. return $this;
  215. }
  216. /**
  217. * To which remote domains the JS connect to.
  218. * @param string $domain Domain to whitelist. Any passed value needs to be properly sanitized.
  219. * @return $this
  220. * @since 8.1.0
  221. */
  222. public function addAllowedConnectDomain($domain) {
  223. $this->allowedConnectDomains[] = $domain;
  224. return $this;
  225. }
  226. /**
  227. * Remove the specified allowed connect domain from the allowed domains.
  228. *
  229. * @param string $domain
  230. * @return $this
  231. * @since 8.1.0
  232. */
  233. public function disallowConnectDomain($domain) {
  234. $this->allowedConnectDomains = array_diff($this->allowedConnectDomains, [$domain]);
  235. return $this;
  236. }
  237. /**
  238. * From which domains media elements can be embedded.
  239. * @param string $domain Domain to whitelist. Any passed value needs to be properly sanitized.
  240. * @return $this
  241. * @since 8.1.0
  242. */
  243. public function addAllowedMediaDomain($domain) {
  244. $this->allowedMediaDomains[] = $domain;
  245. return $this;
  246. }
  247. /**
  248. * Remove the specified allowed media domain from the allowed domains.
  249. *
  250. * @param string $domain
  251. * @return $this
  252. * @since 8.1.0
  253. */
  254. public function disallowMediaDomain($domain) {
  255. $this->allowedMediaDomains = array_diff($this->allowedMediaDomains, [$domain]);
  256. return $this;
  257. }
  258. /**
  259. * From which domains objects such as <object>, <embed> or <applet> are executed
  260. * @param string $domain Domain to whitelist. Any passed value needs to be properly sanitized.
  261. * @return $this
  262. * @since 8.1.0
  263. */
  264. public function addAllowedObjectDomain($domain) {
  265. $this->allowedObjectDomains[] = $domain;
  266. return $this;
  267. }
  268. /**
  269. * Remove the specified allowed object domain from the allowed domains.
  270. *
  271. * @param string $domain
  272. * @return $this
  273. * @since 8.1.0
  274. */
  275. public function disallowObjectDomain($domain) {
  276. $this->allowedObjectDomains = array_diff($this->allowedObjectDomains, [$domain]);
  277. return $this;
  278. }
  279. /**
  280. * Which domains can be embedded in an iframe
  281. * @param string $domain Domain to whitelist. Any passed value needs to be properly sanitized.
  282. * @return $this
  283. * @since 8.1.0
  284. */
  285. public function addAllowedFrameDomain($domain) {
  286. $this->allowedFrameDomains[] = $domain;
  287. return $this;
  288. }
  289. /**
  290. * Remove the specified allowed frame domain from the allowed domains.
  291. *
  292. * @param string $domain
  293. * @return $this
  294. * @since 8.1.0
  295. */
  296. public function disallowFrameDomain($domain) {
  297. $this->allowedFrameDomains = array_diff($this->allowedFrameDomains, [$domain]);
  298. return $this;
  299. }
  300. /**
  301. * Domains from which web-workers and nested browsing content can load elements
  302. * @param string $domain Domain to whitelist. Any passed value needs to be properly sanitized.
  303. * @return $this
  304. * @since 8.1.0
  305. * @deprecated 15.0.0 use addAllowedWorkerSrcDomains or addAllowedFrameDomain
  306. */
  307. public function addAllowedChildSrcDomain($domain) {
  308. $this->allowedChildSrcDomains[] = $domain;
  309. return $this;
  310. }
  311. /**
  312. * Remove the specified allowed child src domain from the allowed domains.
  313. *
  314. * @param string $domain
  315. * @return $this
  316. * @since 8.1.0
  317. * @deprecated 15.0.0 use the WorkerSrcDomains or FrameDomain
  318. */
  319. public function disallowChildSrcDomain($domain) {
  320. $this->allowedChildSrcDomains = array_diff($this->allowedChildSrcDomains, [$domain]);
  321. return $this;
  322. }
  323. /**
  324. * Domains which can embed an iFrame of the Nextcloud instance
  325. *
  326. * @param string $domain
  327. * @return $this
  328. * @since 13.0.0
  329. */
  330. public function addAllowedFrameAncestorDomain($domain) {
  331. $this->allowedFrameAncestors[] = $domain;
  332. return $this;
  333. }
  334. /**
  335. * Domains which can embed an iFrame of the Nextcloud instance
  336. *
  337. * @param string $domain
  338. * @return $this
  339. * @since 13.0.0
  340. */
  341. public function disallowFrameAncestorDomain($domain) {
  342. $this->allowedFrameAncestors = array_diff($this->allowedFrameAncestors, [$domain]);
  343. return $this;
  344. }
  345. /**
  346. * Domain from which workers can be loaded
  347. *
  348. * @param string $domain
  349. * @return $this
  350. * @since 15.0.0
  351. */
  352. public function addAllowedWorkerSrcDomain(string $domain) {
  353. $this->allowedWorkerSrcDomains[] = $domain;
  354. return $this;
  355. }
  356. /**
  357. * Remove domain from which workers can be loaded
  358. *
  359. * @param string $domain
  360. * @return $this
  361. * @since 15.0.0
  362. */
  363. public function disallowWorkerSrcDomain(string $domain) {
  364. $this->allowedWorkerSrcDomains = array_diff($this->allowedWorkerSrcDomains, [$domain]);
  365. return $this;
  366. }
  367. /**
  368. * Domain to where forms can submit
  369. *
  370. * @since 17.0.0
  371. *
  372. * @return $this
  373. */
  374. public function addAllowedFormActionDomain(string $domain) {
  375. $this->allowedFormActionDomains[] = $domain;
  376. return $this;
  377. }
  378. /**
  379. * Remove domain to where forms can submit
  380. *
  381. * @return $this
  382. * @since 17.0.0
  383. */
  384. public function disallowFormActionDomain(string $domain) {
  385. $this->allowedFormActionDomains = array_diff($this->allowedFormActionDomains, [$domain]);
  386. return $this;
  387. }
  388. /**
  389. * Add location to report CSP violations to
  390. *
  391. * @param string $location
  392. * @return $this
  393. * @since 15.0.0
  394. */
  395. public function addReportTo(string $location) {
  396. $this->reportTo[] = $location;
  397. return $this;
  398. }
  399. /**
  400. * Get the generated Content-Security-Policy as a string
  401. * @return string
  402. * @since 8.1.0
  403. */
  404. public function buildPolicy() {
  405. $policy = "default-src 'none';";
  406. $policy .= "base-uri 'none';";
  407. $policy .= "manifest-src 'self';";
  408. if (!empty($this->allowedScriptDomains) || $this->evalScriptAllowed || $this->evalWasmAllowed || is_string($this->jsNonce)) {
  409. $policy .= 'script-src ';
  410. $scriptSrc = '';
  411. if (is_string($this->jsNonce)) {
  412. if ($this->strictDynamicAllowed) {
  413. $scriptSrc .= '\'strict-dynamic\' ';
  414. }
  415. $scriptSrc .= '\'nonce-'.base64_encode($this->jsNonce).'\'';
  416. $allowedScriptDomains = array_flip($this->allowedScriptDomains);
  417. unset($allowedScriptDomains['\'self\'']);
  418. $this->allowedScriptDomains = array_flip($allowedScriptDomains);
  419. if (count($allowedScriptDomains) !== 0) {
  420. $scriptSrc .= ' ';
  421. }
  422. }
  423. if (is_array($this->allowedScriptDomains)) {
  424. $scriptSrc .= implode(' ', $this->allowedScriptDomains);
  425. }
  426. if ($this->evalScriptAllowed) {
  427. $scriptSrc .= ' \'unsafe-eval\'';
  428. }
  429. if ($this->evalWasmAllowed) {
  430. $scriptSrc .= ' \'wasm-unsafe-eval\'';
  431. }
  432. $policy .= $scriptSrc . ';';
  433. }
  434. // We only need to set this if 'strictDynamicAllowed' is not set because otherwise we can simply fall back to script-src
  435. if ($this->strictDynamicAllowedOnScripts && is_string($this->jsNonce) && !$this->strictDynamicAllowed) {
  436. $policy .= 'script-src-elem \'strict-dynamic\' ';
  437. $policy .= $scriptSrc ?? '';
  438. $policy .= ';';
  439. }
  440. if (!empty($this->allowedStyleDomains) || $this->inlineStyleAllowed) {
  441. $policy .= 'style-src ';
  442. if (is_array($this->allowedStyleDomains)) {
  443. $policy .= implode(' ', $this->allowedStyleDomains);
  444. }
  445. if ($this->inlineStyleAllowed) {
  446. $policy .= ' \'unsafe-inline\'';
  447. }
  448. $policy .= ';';
  449. }
  450. if (!empty($this->allowedImageDomains)) {
  451. $policy .= 'img-src ' . implode(' ', $this->allowedImageDomains);
  452. $policy .= ';';
  453. }
  454. if (!empty($this->allowedFontDomains)) {
  455. $policy .= 'font-src ' . implode(' ', $this->allowedFontDomains);
  456. $policy .= ';';
  457. }
  458. if (!empty($this->allowedConnectDomains)) {
  459. $policy .= 'connect-src ' . implode(' ', $this->allowedConnectDomains);
  460. $policy .= ';';
  461. }
  462. if (!empty($this->allowedMediaDomains)) {
  463. $policy .= 'media-src ' . implode(' ', $this->allowedMediaDomains);
  464. $policy .= ';';
  465. }
  466. if (!empty($this->allowedObjectDomains)) {
  467. $policy .= 'object-src ' . implode(' ', $this->allowedObjectDomains);
  468. $policy .= ';';
  469. }
  470. if (!empty($this->allowedFrameDomains)) {
  471. $policy .= 'frame-src ';
  472. $policy .= implode(' ', $this->allowedFrameDomains);
  473. $policy .= ';';
  474. }
  475. if (!empty($this->allowedChildSrcDomains)) {
  476. $policy .= 'child-src ' . implode(' ', $this->allowedChildSrcDomains);
  477. $policy .= ';';
  478. }
  479. if (!empty($this->allowedFrameAncestors)) {
  480. $policy .= 'frame-ancestors ' . implode(' ', $this->allowedFrameAncestors);
  481. $policy .= ';';
  482. } else {
  483. $policy .= 'frame-ancestors \'none\';';
  484. }
  485. if (!empty($this->allowedWorkerSrcDomains)) {
  486. $policy .= 'worker-src ' . implode(' ', $this->allowedWorkerSrcDomains);
  487. $policy .= ';';
  488. }
  489. if (!empty($this->allowedFormActionDomains)) {
  490. $policy .= 'form-action ' . implode(' ', $this->allowedFormActionDomains);
  491. $policy .= ';';
  492. }
  493. if (!empty($this->reportTo)) {
  494. $policy .= 'report-uri ' . implode(' ', $this->reportTo);
  495. $policy .= ';';
  496. }
  497. return rtrim($policy, ';');
  498. }
  499. }