Allow AppFramework applications to specify a custom CSP header #13989
Conversation
LukasReschke
force-pushed
the
enhancment/security/11857
branch
from
8d46df5
to
be875ff
Compare
|
Refer to this link for build results (access rights to CI server needed): |
|
Yes, the Response class seems indeed the right place to tackle it. As for the naming: *Helper is redundant. There are two ways to do it IMHO: $csp = new OCP\AppFramework\Http\CSP();
$csp->allowImageSrc('some.domain.com');
$response = new Response();
$response->setCSP($csp);$csp = 'some string with csp settings';
$response->setCSP($csp);
// or
$response->allowImageSrc('some.domain.com');The second one is easier to use because you dont need to read up on how to use the CSP class but I think the first approach is the correct one because it is easier to set default values and allow users to overwrite safe defaults and prevent easy mistakes For instance we never want the dev to set the complete csp string at once because he'll likely make a mistake. Will review further later ;) |
| * @param bool $state | ||
| * @return $this | ||
| */ | ||
| public function inlineScriptState($state = false) { |
There was a problem hiding this comment.
Id use something that implies the boolean more, like allowInlineScript($enabled = false), same for the following methods
|
Good idea and nicely executed, you're getting good at this ;) |
|
Thanks @Raydiation for reviewing. Much appreciated. I'll take a look at the comments today and incorporate them :) |
LukasReschke
force-pushed
the
enhancment/security/11857
branch
from
be875ff
to
34ea8ae
Compare
This change allows AppFramework applications to specify a custom CSP header for example when the default policy is too strict. Furthermore this allows us to partially migrate away from CSS and allowed eval() in our JavaScript components.
Legacy ownCloud components will still use the previous policy. Application developers can use this as following in their controllers:
```php
$response = new TemplateResponse('activity', 'list', []);
$cspHelper = new ContentSecurityPolicyHelper();
$cspHelper->addAllowedScriptDomain('www.owncloud.org');
$response->addHeader('Content-Security-Policy', $cspHelper->getPolicy());
return $response;
```
Fixes #11857 which is a pre-requisite for #13458 and #11925
LukasReschke
force-pushed
the
enhancment/security/11857
branch
from
34ea8ae
to
b20174b
Compare
| @@ -930,15 +930,6 @@ | |||
| ), | |||
|
|
|||
| /** | |||
| * Custom CSP policy, changing this will overwrite the standard policy | |||
| */ | |||
| 'custom_csp_policy' => | |||
There was a problem hiding this comment.
so - there is no need to configure this globally anymore?
I guess many installations out there already tweak this - e.g. to allow the installation to be iframed etc.
What's the migration path for such a scenario? @LukasReschke THX
There was a problem hiding this comment.
I guess many installations out there already tweak this - e.g. to allow the installation to be iframed etc.
Iframing is defined by another policy ;-)
The thing that might break are people using inline JS for example for tracking using Piwik / Google Analytics. But honestly, if you do such stuff you should also know how to fix it yourself (as in: It does not make sense to ship insecure defaults because of those few people ;-)
There was a problem hiding this comment.
Migration path: "Fix your blackmagic. This was anyways just a very ugly workaround in times where we didn't have the AppFramework and wanted apps to specify policies on their own."
There was a problem hiding this comment.
Let's add it to https://github.com/owncloud/core/wiki/ownCloud-8.1-Features once merged.
|
Refer to this link for build results (access rights to CI server needed): |
🙈 |
| * @param bool $state | ||
| * @return $this | ||
| */ | ||
| public function evalScriptState($state = true) { |
|
|
||
| if($this->lastModified) { | ||
| $mergeWith['Last-Modified'] = | ||
| $this->lastModified->format(\DateTime::RFC2822); | ||
| } | ||
|
|
||
| // Build Content-Security-Policy and use default if none has been specified | ||
| if(is_null($this->contentSecurityPolicy)) { |
There was a problem hiding this comment.
This can be moved right up and you can get rid of the if with
private $contentSecurityPolicy = new ContentSecurityPolicy();There was a problem hiding this comment.
I don't think one can set expressions as default field value:
Parse error: syntax error, unexpected 'new' (T_NEW) in /Users/lreschke/Programming/core/lib/public/appframework/http/response.php on line 76
|
👍 |
|
The inspection completed: 10 new issues, 44 updated code elements |
|
Refer to this link for build results (access rights to CI server needed): |
|
works here 👍 |
Allow AppFramework applications to specify a custom CSP header
|
This is a nice feature, but i have a problem with "$allowedImageDomains", this checks the image source, but what happens if i work directly with the data like: so the browser not load the image source but shows this error: so i have to set allowedImageDomains = '*' or is there are a other mechanism? Thanks |
|
@libasys |
|
I tested this and added following to the default behaviour of $allowedImageDomains on lib/public/appframework/http/contentsecuritypolicy.php This should be a default behaviour of $allowedImageDomains! Now it works as expected! |
I'd like to prevent this. There are at the moment not much apps that need this behaviour. You can do this on single controllers like that: $csp = new OCP\AppFramework\Http\ContentSecurityPolicy();
$csp->addAllowedImageDomain('data:');
$response = new TemplateResponse($this->appName, 'public', $shareTmpl, 'base');
$response->setContentSecurityPolicy($csp);
return $response; |
|
perfect! It works! :) Thanks! Should become part of the devs manual on owncloud.org with an example. |
|
Yup. – I still need to do it for 8.1. |
This change allows AppFramework applications to specify a custom CSP header for example when the default policy is too strict. Furthermore this allows us to partially migrate away from inline-CSS and allowed eval() in our JavaScript components.
Legacy ownCloud components will still use the previous policy. Application developers can use this as following in their controllers:
Fixes #11857 which is a pre-requisite for #13458 and #11925
@Raydiation Care to take a look at this? :)
@DeepDiver1975 You as well? – This is required in case we want to harden our CSP policy even further to allow applications such as documents to have some lightened rules. Might break one or two things but we will notice this fast and can port the specific controllers that break to use the AppFramework :-)