Skip to content

Commit

Permalink
Merge pull request #1920 from nextcloud/legacy-pages-should-also-rece…
Browse files Browse the repository at this point in the history
…ive-the-nonce

Add nonce also to legacy CSP
  • Loading branch information
rullzer authored Oct 26, 2016
2 parents cd12e2d + c20ab00 commit b98dfac
Show file tree
Hide file tree
Showing 4 changed files with 18 additions and 4 deletions.
2 changes: 1 addition & 1 deletion lib/private/AppFramework/Http/Request.php
Original file line number Diff line number Diff line change
Expand Up @@ -61,7 +61,7 @@ class Request implements \ArrayAccess, \Countable, IRequest {
// Firefox User Agent from https://developer.mozilla.org/en-US/docs/Web/HTTP/Gecko_user_agent_string_reference
const USER_AGENT_FIREFOX = '/^Mozilla\/5\.0 \([^)]+\) Gecko\/[0-9.]+ Firefox\/[0-9.]+$/';
// Chrome User Agent from https://developer.chrome.com/multidevice/user-agent
const USER_AGENT_CHROME = '/^Mozilla\/5\.0 \([^)]+\) AppleWebKit\/[0-9.]+ \(KHTML, like Gecko\) Chrome\/[0-9.]+ (Mobile Safari|Safari)\/[0-9.]+$/';
const USER_AGENT_CHROME = '/^Mozilla\/5\.0 \([^)]+\) AppleWebKit\/[0-9.]+ \(KHTML, like Gecko\)( Ubuntu Chromium\/[0-9.]+|) Chrome\/[0-9.]+ (Mobile Safari|Safari)\/[0-9.]+$/';
// Safari User Agent from http://www.useragentstring.com/pages/Safari/
const USER_AGENT_SAFARI = '/^Mozilla\/5\.0 \([^)]+\) AppleWebKit\/[0-9.]+ \(KHTML, like Gecko\) Version\/[0-9.]+ Safari\/[0-9.A-Z]+$/';
// Android Chrome user agent: https://developers.google.com/chrome/mobile/docs/user-agent
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@

namespace OC\Security\CSP;

use OC\AppFramework\Http\Request;
use OC\Security\CSRF\CsrfTokenManager;
use OCP\IRequest;

Expand Down Expand Up @@ -65,8 +66,7 @@ public function getNonce() {
*/
public function browserSupportsCspV3() {
$browserWhitelist = [
// Chrome 40+
'/^Mozilla\/5\.0 \([^)]+\) AppleWebKit\/[0-9.]+ \(KHTML, like Gecko\) Chrome\/[4-9][0-9].[0-9.]+ (Mobile Safari|Safari)\/[0-9.]+$/',
Request::USER_AGENT_CHROME,
// Firefox 45+
'/^Mozilla\/5\.0 \([^)]+\) Gecko\/[0-9.]+ Firefox\/(4[5-9]|[5-9][0-9])\.[0-9.]+$/',
// Safari 10+
Expand Down
2 changes: 1 addition & 1 deletion lib/private/legacy/response.php
Original file line number Diff line number Diff line change
Expand Up @@ -247,7 +247,7 @@ public static function addSecurityHeaders() {
* @see \OCP\AppFramework\Http\Response::getHeaders
*/
$policy = 'default-src \'self\'; '
. 'script-src \'self\' \'unsafe-eval\'; '
. 'script-src \'self\' \'unsafe-eval\' \'nonce-'.\OC::$server->getContentSecurityPolicyNonceManager()->getNonce().'\'; '
. 'style-src \'self\' \'unsafe-inline\'; '
. 'frame-src *; '
. 'img-src * data: blob:; '
Expand Down
14 changes: 14 additions & 0 deletions tests/lib/AppFramework/Http/RequestTest.php
Original file line number Diff line number Diff line change
Expand Up @@ -791,6 +791,20 @@ function userAgentProvider() {
],
false,
],
[
'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36',
[
Request::USER_AGENT_CHROME
],
true,
],
[
'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/53.0.2785.143 Chrome/53.0.2785.143 Safari/537.36',
[
Request::USER_AGENT_CHROME
],
true,
],
[
'Mozilla/5.0 (Linux; Android 4.4; Nexus 4 Build/KRT16S) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.59 Mobile Safari/537.36',
[
Expand Down

0 comments on commit b98dfac

Please sign in to comment.