Skip to content
Snippets Groups Projects
Unverified Commit 64244e1a authored by Roeland Jago Douma's avatar Roeland Jago Douma
Browse files

CSP: Allow fonts to be provided in data 


Signed-off-by: default avatarRoeland Jago Douma <roeland@famdouma.nl>
parent b820803c
No related branches found
No related tags found
No related merge requests found
Expand all Hide whitespace changes
Inline Side-by-side
Showing
with 64 additions and 63 deletions
lib/public/AppFramework/Http/ContentSecurityPolicy.php
+ 1
0
View file @ 64244e1a
...@@ -80,6 +80,7 @@ class ContentSecurityPolicy extends EmptyContentSecurityPolicy { ...@@ -80,6 +80,7 @@ class ContentSecurityPolicy extends EmptyContentSecurityPolicy {
/** @var array Domains from which fonts can be loaded */ /** @var array Domains from which fonts can be loaded */
protected $allowedFontDomains = [ protected $allowedFontDomains = [
'\'self\'', '\'self\'',
'data:',
]; ];
/** @var array Domains from which web-workers and nested browsing content can load elements */ /** @var array Domains from which web-workers and nested browsing content can load elements */
protected $allowedChildSrcDomains = []; protected $allowedChildSrcDomains = [];
......
tests/lib/AppFramework/Controller/ControllerTest.php
+ 1
1
View file @ 64244e1a
...@@ -116,7 +116,7 @@ class ControllerTest extends \Test\TestCase { ...@@ -116,7 +116,7 @@ class ControllerTest extends \Test\TestCase {
'test' => 'something', 'test' => 'something',
'Cache-Control' => 'no-cache, no-store, must-revalidate', 'Cache-Control' => 'no-cache, no-store, must-revalidate',
'Content-Type' => 'application/json; charset=utf-8', 'Content-Type' => 'application/json; charset=utf-8',
'Content-Security-Policy' => "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self'", 'Content-Security-Policy' => "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self'",
]; ];
$response = $this->controller->customDataResponse(array('hi')); $response = $this->controller->customDataResponse(array('hi'));
......
tests/lib/AppFramework/Http/DataResponseTest.php
+ 1
1
View file @ 64244e1a
...@@ -68,7 +68,7 @@ class DataResponseTest extends \Test\TestCase { ...@@ -68,7 +68,7 @@ class DataResponseTest extends \Test\TestCase {
$expectedHeaders = [ $expectedHeaders = [
'Cache-Control' => 'no-cache, no-store, must-revalidate', 'Cache-Control' => 'no-cache, no-store, must-revalidate',
'Content-Security-Policy' => "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self'", 'Content-Security-Policy' => "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self'",
]; ];
$expectedHeaders = array_merge($expectedHeaders, $headers); $expectedHeaders = array_merge($expectedHeaders, $headers);
......
tests/lib/AppFramework/Http/ResponseTest.php
+ 2
2
View file @ 64244e1a
...@@ -59,14 +59,14 @@ class ResponseTest extends \Test\TestCase { ...@@ -59,14 +59,14 @@ class ResponseTest extends \Test\TestCase {
$this->childResponse->setHeaders($expected); $this->childResponse->setHeaders($expected);
$headers = $this->childResponse->getHeaders(); $headers = $this->childResponse->getHeaders();
$expected['Content-Security-Policy'] = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self'"; $expected['Content-Security-Policy'] = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self'";
$this->assertEquals($expected, $headers); $this->assertEquals($expected, $headers);
} }
public function testOverwriteCsp() { public function testOverwriteCsp() {
$expected = [ $expected = [
'Content-Security-Policy' => "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self' 'unsafe-inline';style-src 'self' 'unsafe-inline';img-src 'self';font-src 'self';connect-src 'self';media-src 'self'", 'Content-Security-Policy' => "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self' 'unsafe-inline';style-src 'self' 'unsafe-inline';img-src 'self';font-src 'self' data:;connect-src 'self';media-src 'self'",
]; ];
$policy = new Http\ContentSecurityPolicy(); $policy = new Http\ContentSecurityPolicy();
$policy->allowInlineScript(true); $policy->allowInlineScript(true);
......
tests/lib/Security/CSP/ContentSecurityPolicyManagerTest.php
+ 1
1
View file @ 64244e1a
...@@ -63,7 +63,7 @@ class ContentSecurityPolicyManagerTest extends \Test\TestCase { ...@@ -63,7 +63,7 @@ class ContentSecurityPolicyManagerTest extends \Test\TestCase {
$expected->addAllowedImageDomain('anotherdomain.de'); $expected->addAllowedImageDomain('anotherdomain.de');
$expected->addAllowedImageDomain('example.org'); $expected->addAllowedImageDomain('example.org');
$expected->addAllowedChildSrcDomain('childdomain'); $expected->addAllowedChildSrcDomain('childdomain');
$expectedStringPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self' 'unsafe-inline' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob: anotherdomain.de example.org;font-src 'self' mydomain.com example.com anotherFontDomain;connect-src 'self';media-src 'self';child-src childdomain"; $expectedStringPolicy = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self' 'unsafe-inline' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob: anotherdomain.de example.org;font-src 'self' data: mydomain.com example.com anotherFontDomain;connect-src 'self';media-src 'self';child-src childdomain";
$this->assertEquals($expected, $this->contentSecurityPolicyManager->getDefaultPolicy()); $this->assertEquals($expected, $this->contentSecurityPolicyManager->getDefaultPolicy());
$this->assertSame($expectedStringPolicy, $this->contentSecurityPolicyManager->getDefaultPolicy()->buildPolicy()); $this->assertSame($expectedStringPolicy, $this->contentSecurityPolicyManager->getDefaultPolicy()->buildPolicy());
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment