Add support for CSP_NONCE server variable

Allow passing a nonce from the web server, allowing the possibility to enforce a strict CSP from the web server. Signed-off-by: Sam Bull <git@sambull.org> Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>

Add support for CSP_NONCE server variable
ea935f65 · Sam Bull · Roeland Jago Douma · 3d0e0f23 · ea935f65 · ea935f65
Unverified Commit ea935f65 authored 5 years ago by Sam Bull Committed by Roeland Jago Douma 5 years ago
--- a/lib/private/Security/CSP/ContentSecurityPolicyNonceManager.php
+++ b/lib/private/Security/CSP/ContentSecurityPolicyNonceManager.php
@@ -58,7 +58,11 @@ class ContentSecurityPolicyNonceManager {
 	 */
 	public function getNonce(): string {
 		if($this->nonce === '') {
-			$this->nonce = base64_encode($this->csrfTokenManager->getToken()->getEncryptedValue());
+			if (empty($this->request->server['CSP_NONCE'])) {
+				$this->nonce = base64_encode($this->csrfTokenManager->getToken()->getEncryptedValue());
+			} else {
+				$this->nonce = $this->request->server['CSP_NONCE'];
+			}
 		}

 		return $this->nonce;

--- a/tests/lib/Security/CSP/ContentSecurityPolicyNonceManagerTest.php
+++ b/tests/lib/Security/CSP/ContentSecurityPolicyNonceManagerTest.php
@@ -21,23 +21,26 @@

 namespace Test\Security\CSP;

+use OC\AppFramework\Http\Request;
 use OC\Security\CSP\ContentSecurityPolicyNonceManager;
 use OC\Security\CSRF\CsrfToken;
 use OC\Security\CSRF\CsrfTokenManager;
-use OCP\IRequest;
 use Test\TestCase;

 class ContentSecurityPolicyNonceManagerTest extends TestCase  {
 	/** @var CsrfTokenManager */
 	private $csrfTokenManager;
+	/** @var Request */
+	private $request;
 	/** @var ContentSecurityPolicyNonceManager */
 	private $nonceManager;

 	public function setUp() {
 		$this->csrfTokenManager = $this->createMock(CsrfTokenManager::class);
+		$this->request = $this->createMock(Request::class);
 		$this->nonceManager = new ContentSecurityPolicyNonceManager(
 			$this->csrfTokenManager,
-			$this->createMock(IRequest::class)
+			$this->request
 		);
 	}

@@ -56,4 +59,20 @@ class ContentSecurityPolicyNonceManagerTest extends TestCase  {
 		$this->assertSame('TXlUb2tlbg==', $this->nonceManager->getNonce());
 		$this->assertSame('TXlUb2tlbg==', $this->nonceManager->getNonce());
 	}
+
+	public function testGetNonceServerVar() {
+		$token = 'SERVERNONCE';
+		$this->request
+			->method('__isset')
+			->with('server')
+			->willReturn(true);
+
+		$this->request
+			->method('__get')
+			->with('server')
+			->willReturn(['CSP_NONCE' => $token]);
+
+		$this->assertSame($token, $this->nonceManager->getNonce());
+		$this->assertSame($token, $this->nonceManager->getNonce());
+	}
 }