upstream/nextcloud
1
0
Fork 0
mirror of https://github.com/nextcloud/server.git synced 2026-06-08 00:02:54 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 33

Merge pull request #44088 from nextcloud/backport/43778/stable28

Browse source 
[stable28] Fix CSP for script-src with nonce on edge
This commit is contained in:
Ferdinand Thiessen 2024-03-11 16:32:07 +01:00 committed by GitHub
commit 01a7d4528c
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
3 changed files with 5 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
lib/private/AppFramework/Http/Request.php
View file

@ -67,7 +67,7 @@ use Symfony\Component\HttpFoundation\IpUtils;
class Request implements \ArrayAccess, \Countable, IRequest {
public const USER_AGENT_IE = '/(MSIE)|(Trident)/';
// Microsoft Edge User Agent from https://msdn.microsoft.com/en-us/library/hh869301(v=vs.85).aspx
public const USER_AGENT_MS_EDGE = '/^Mozilla\/5\.0 \([^)]+\) AppleWebKit\/[0-9.]+ \(KHTML, like Gecko\) Chrome\/[0-9.]+ (Mobile Safari|Safari)\/[0-9.]+ Edge\/[0-9.]+$/';
public const USER_AGENT_MS_EDGE = '/^Mozilla\/5\.0 \([^)]+\) AppleWebKit\/[0-9.]+ \(KHTML, like Gecko\) Chrome\/[0-9.]+ (Mobile Safari|Safari)\/[0-9.]+ Edge?\/[0-9.]+$/';
// Firefox User Agent from https://developer.mozilla.org/en-US/docs/Web/HTTP/Gecko_user_agent_string_reference
public const USER_AGENT_FIREFOX = '/^Mozilla\/5\.0 \([^)]+\) Gecko\/[0-9.]+ Firefox\/[0-9.]+$/';
// Chrome User Agent from https://developer.chrome.com/multidevice/user-agent

1
lib/private/Security/CSP/ContentSecurityPolicyNonceManager.php
View file

@ -69,6 +69,7 @@ class ContentSecurityPolicyNonceManager {
Request::USER_AGENT_CHROME,
Request::USER_AGENT_FIREFOX,
Request::USER_AGENT_SAFARI,
Request::USER_AGENT_MS_EDGE,
];
if ($this->request->isUserAgent($browserWhitelist)) {

6
lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php
View file

@ -37,8 +37,8 @@ namespace OCP\AppFramework\Http;
* @since 9.0.0
*/
class EmptyContentSecurityPolicy {
/** @var string JS nonce to be used */
protected $jsNonce = null;
/** @var ?string JS nonce to be used */
protected ?string $jsNonce = null;
/** @var bool Whether strict-dynamic should be used */
protected $strictDynamicAllowed = null;
/** @var bool Whether strict-dynamic should be used on script-src-elem */
@ -460,7 +460,7 @@ class EmptyContentSecurityPolicy {
$policy .= "base-uri 'none';";
$policy .= "manifest-src 'self';";
if (!empty($this->allowedScriptDomains) || $this->evalScriptAllowed || $this->evalWasmAllowed) {
if (!empty($this->allowedScriptDomains) || $this->evalScriptAllowed || $this->evalWasmAllowed || is_string($this->jsNonce)) {
$policy .= 'script-src ';
$scriptSrc = '';
if (is_string($this->jsNonce)) {