Skip to content

Commit

Permalink
Set frame-ancestors to none if none are filled
Browse files Browse the repository at this point in the history
frame-ancestors doesn't fall back to default-src. So when we apply a
very restricted CSP we should make sure to set it to 'none' and not
leave it empty.

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
  • Loading branch information
rullzer authored and backportbot[bot] committed Dec 1, 2020
1 parent 86da501 commit f7a2663
Show file tree
Hide file tree
Showing 6 changed files with 63 additions and 61 deletions.
2 changes: 1 addition & 1 deletion build/integration/sharing_features/sharing-v1.feature
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ Feature: sharing
Then the OCS status code should be "100"
And the HTTP status code should be "200"
And The following headers should be set
| Content-Security-Policy | default-src 'none';base-uri 'none';manifest-src 'self' |
| Content-Security-Policy | default-src 'none';base-uri 'none';manifest-src 'self';frame-ancestors 'none' |

Scenario: Creating a share with a group
Given user "user0" exists
Expand Down
2 changes: 2 additions & 0 deletions lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php
Original file line number Diff line number Diff line change
Expand Up @@ -509,6 +509,8 @@ public function buildPolicy() {
if (!empty($this->allowedFrameAncestors)) {
$policy .= 'frame-ancestors ' . implode(' ', $this->allowedFrameAncestors);
$policy .= ';';
} else {
$policy .= 'frame-ancestors \'none\';';
}

if (!empty($this->allowedWorkerSrcDomains)) {
Expand Down
2 changes: 1 addition & 1 deletion tests/lib/AppFramework/Controller/ControllerTest.php
Original file line number Diff line number Diff line change
Expand Up @@ -112,7 +112,7 @@ public function testFormatDataResponseJSON() {
'test' => 'something',
'Cache-Control' => 'no-cache, no-store, must-revalidate',
'Content-Type' => 'application/json; charset=utf-8',
'Content-Security-Policy' => "default-src 'none';base-uri 'none';manifest-src 'self'",
'Content-Security-Policy' => "default-src 'none';base-uri 'none';manifest-src 'self';frame-ancestors 'none'",
'Feature-Policy' => "autoplay 'none';camera 'none';fullscreen 'none';geolocation 'none';microphone 'none';payment 'none'",
'X-Robots-Tag' => 'none',
];
Expand Down
2 changes: 1 addition & 1 deletion tests/lib/AppFramework/Http/DataResponseTest.php
Original file line number Diff line number Diff line change
Expand Up @@ -65,7 +65,7 @@ public function testConstructorAllowsToSetHeaders() {

$expectedHeaders = [
'Cache-Control' => 'no-cache, no-store, must-revalidate',
'Content-Security-Policy' => "default-src 'none';base-uri 'none';manifest-src 'self'",
'Content-Security-Policy' => "default-src 'none';base-uri 'none';manifest-src 'self';frame-ancestors 'none'",
'Feature-Policy' => "autoplay 'none';camera 'none';fullscreen 'none';geolocation 'none';microphone 'none';payment 'none'",
'X-Robots-Tag' => 'none',
];
Expand Down
Loading

0 comments on commit f7a2663

Please sign in to comment.