diff options
author | Julius Härtl <jus@bitgrid.net> | 2022-05-20 15:37:29 +0300 |
---|---|---|
committer | Julius Härtl <jus@bitgrid.net> | 2022-05-20 18:17:06 +0300 |
commit | fe1d41f852caa1c9aa1a4ef6ee55db63393038c4 (patch) | |
tree | 3e9502f3303b8f0fe60d73ab5b53454c7e312e39 | |
parent | 9e3447f850c2a56f6a66ea483723d72ff8150c4a (diff) |
Move remaining policy adjustments to a traitbugfix/noid/csp-reload
Signed-off-by: Julius Härtl <jus@bitgrid.net>
-rw-r--r-- | lib/AppConfig.php | 3 | ||||
-rw-r--r-- | lib/Controller/DirectViewController.php | 12 | ||||
-rw-r--r-- | lib/Controller/DocumentController.php | 51 | ||||
-rw-r--r-- | lib/Controller/DocumentTrait.php | 42 | ||||
-rw-r--r-- | lib/Service/FederationService.php | 4 |
5 files changed, 53 insertions, 59 deletions
diff --git a/lib/AppConfig.php b/lib/AppConfig.php index 9cdf0bc4..f8f54f59 100644 --- a/lib/AppConfig.php +++ b/lib/AppConfig.php @@ -134,5 +134,4 @@ class AppConfig { public function getCollaboraUrlInternal(): string { return $this->config->getAppValue(Application::APPNAME, self::WOPI_URL, ''); } - - } +} diff --git a/lib/Controller/DirectViewController.php b/lib/Controller/DirectViewController.php index a36ac287..343cf231 100644 --- a/lib/Controller/DirectViewController.php +++ b/lib/Controller/DirectViewController.php @@ -32,7 +32,6 @@ use OCA\Richdocuments\TokenManager; use OCP\AppFramework\Controller; use OCP\AppFramework\Db\DoesNotExistException; use OCP\AppFramework\Http; -use OCP\AppFramework\Http\ContentSecurityPolicy; use OCP\AppFramework\Http\JSONResponse; use OCP\AppFramework\Http\RedirectResponse; use OCP\AppFramework\Http\TemplateResponse; @@ -45,6 +44,7 @@ use OCP\ILogger; use OCP\IRequest; class DirectViewController extends Controller { + use DocumentTrait; /** @var IRootFolder */ private $rootFolder; @@ -180,10 +180,7 @@ class DirectViewController extends Controller { $this->initialState->provideDocument($wopi); $response = new TemplateResponse('richdocuments', 'documents', $params, 'base'); - $policy = new ContentSecurityPolicy(); - $policy->allowInlineScript(true); - $policy->addAllowedFrameDomain($this->appConfig->getAppValue('public_wopi_url')); - $response->setContentSecurityPolicy($policy); + $this->applyPolicies($response); return $response; } catch (\Exception $e) { $this->logger->logException($e); @@ -236,10 +233,7 @@ class DirectViewController extends Controller { $this->initialState->provideDocument($wopi); $response = new TemplateResponse('richdocuments', 'documents', $params, 'base'); - $policy = new ContentSecurityPolicy(); - $policy->allowInlineScript(true); - $policy->addAllowedFrameDomain($this->appConfig->getAppValue('public_wopi_url')); - $response->setContentSecurityPolicy($policy); + $this->applyPolicies($response); return $response; } } catch (\Exception $e) { diff --git a/lib/Controller/DocumentController.php b/lib/Controller/DocumentController.php index e70bcae5..399f702e 100644 --- a/lib/Controller/DocumentController.php +++ b/lib/Controller/DocumentController.php @@ -27,8 +27,6 @@ use OCP\Files\NotPermittedException; use \OCP\IRequest; use \OCP\IConfig; use \OCP\ILogger; -use \OCP\AppFramework\Http\ContentSecurityPolicy; -use \OCP\AppFramework\Http\FeaturePolicy; use \OCP\AppFramework\Http\TemplateResponse; use \OCA\Richdocuments\AppConfig; use OCP\ISession; @@ -36,6 +34,7 @@ use OCP\Share\Exceptions\ShareNotFound; use OCP\Share\IManager; class DocumentController extends Controller { + use DocumentTrait; /** @var string */ private $uid; @@ -135,37 +134,6 @@ class DocumentController extends Controller { } /** - * Strips the path and query parameters from the URL. - * - * @param string $url - * @return string - */ - private function domainOnly($url) { - $parsed_url = parse_url($url); - $scheme = isset($parsed_url['scheme']) ? $parsed_url['scheme'] . '://' : ''; - $host = isset($parsed_url['host']) ? $parsed_url['host'] : ''; - $port = isset($parsed_url['port']) ? ':' . $parsed_url['port'] : ''; - return "$scheme$host$port"; - } - - /** - * Setup policy headers for the response - */ - private function setupPolicy($response) { - $wopiDomain = $this->domainOnly($this->appConfig->getAppValue('public_wopi_url')); - - $policy = new ContentSecurityPolicy(); - $policy->addAllowedFrameDomain($wopiDomain); - $policy->allowInlineScript(true); - $policy->addAllowedFormActionDomain($wopiDomain); - $response->setContentSecurityPolicy($policy); - - $featurePolicy = new FeaturePolicy(); - $featurePolicy->addAllowedFullScreenDomain($wopiDomain); - $response->setFeaturePolicy($featurePolicy); - } - - /** * @NoAdminRequired * * @param string $fileId @@ -230,7 +198,7 @@ class DocumentController extends Controller { $this->initialState->provideDocument($wopi); $response = new TemplateResponse('richdocuments', 'documents', $params, 'base'); - $this->setupPolicy($response); + $this->applyPolicies($response); return $response; } catch (\Exception $e) { $this->logger->logException($e, ['app' => 'richdocuments']); @@ -289,7 +257,7 @@ class DocumentController extends Controller { $this->initialState->provideDocument($wopi); $response = new TemplateResponse('richdocuments', 'documents', $params, 'base'); - $this->setupPolicy($response); + $this->applyPolicies($response); return $response; } @@ -348,7 +316,7 @@ class DocumentController extends Controller { $this->initialState->provideDocument($wopi); $response = new TemplateResponse('richdocuments', 'documents', $params, 'base'); - $this->setupPolicy($response); + $this->applyPolicies($response); return $response; } } catch (\Exception $e) { @@ -421,16 +389,7 @@ class DocumentController extends Controller { $this->initialState->provideDocument($wopi); $response = new TemplateResponse('richdocuments', 'documents', $params, 'base'); - $remoteWopi = $this->domainOnly($this->appConfig->getAppValue('wopi_url')); - $policy = new ContentSecurityPolicy(); - $policy->addAllowedFrameDomain($remoteWopi); - $policy->allowInlineScript(true); - $policy->addAllowedFrameAncestorDomain('https://*'); - $response->setContentSecurityPolicy($policy); - $featurePolicy = new FeaturePolicy(); - $featurePolicy->addAllowedFullScreenDomain($remoteWopi); - $response->setFeaturePolicy($featurePolicy); - $response->addHeader('X-Frame-Options', 'ALLOW'); + $this->applyPolicies($response); return $response; } } catch (ShareNotFound $e) { diff --git a/lib/Controller/DocumentTrait.php b/lib/Controller/DocumentTrait.php new file mode 100644 index 00000000..992bbad9 --- /dev/null +++ b/lib/Controller/DocumentTrait.php @@ -0,0 +1,42 @@ +<?php + +namespace OCA\Richdocuments\Controller; + +use OCP\AppFramework\Http\ContentSecurityPolicy; +use OCP\AppFramework\Http\FeaturePolicy; + +trait DocumentTrait { + private $appConfig; + + /** + * Setup policy headers for the response + */ + private function applyPolicies($response) { + $collaboraHost = $this->domainOnly($this->appConfig->getCollaboraUrlPublic()); + + // FIXME We can skip inline source once templates/documents.php is migrated to IInitialState + $policy = new ContentSecurityPolicy(); + $policy->allowInlineScript(true); + $response->setContentSecurityPolicy($policy); + + $featurePolicy = new FeaturePolicy(); + $featurePolicy->addAllowedFullScreenDomain($collaboraHost); + $response->setFeaturePolicy($featurePolicy); + + $response->addHeader('X-Frame-Options', 'ALLOW'); + } + + /** + * Strips the path and query parameters from the URL. + * + * @param string $url + * @return string + */ + private function domainOnly(string $url): string { + $parsed_url = parse_url($url); + $scheme = isset($parsed_url['scheme']) ? $parsed_url['scheme'] . '://' : ''; + $host = isset($parsed_url['host']) ? $parsed_url['host'] : ''; + $port = isset($parsed_url['port']) ? ':' . $parsed_url['port'] : ''; + return "$scheme$host$port"; + } +} diff --git a/lib/Service/FederationService.php b/lib/Service/FederationService.php index 9716229f..5d00c5e6 100644 --- a/lib/Service/FederationService.php +++ b/lib/Service/FederationService.php @@ -1,4 +1,5 @@ <?php + declare(strict_types=1); /** @@ -78,7 +79,6 @@ class FederationService { } catch (ContainerExceptionInterface $e) { } catch (AutoloadNotAllowedException $e) { } - } public function getTrustedServers(): array { @@ -86,7 +86,7 @@ class FederationService { return []; } - return array_map(function(array $server) { + return array_map(function (array $server) { return $server['url']; }, $this->trustedServers->getServers()); } |