diff options
author | Luc Didry <luc@didry.org> | 2022-02-16 13:01:38 +0300 |
---|---|---|
committer | backportbot[bot] <backportbot[bot]@users.noreply.github.com> | 2022-02-21 12:10:22 +0300 |
commit | 3d3904df922f654c5be1d793d0fa9d41bd4beb7b (patch) | |
tree | 79b226e29a2078dea89a4efe460c923bc4f48fca | |
parent | 5ac0be9effb7b8c4e7ba7020a877a393aa491862 (diff) |
🐛 Fix CSP violation when Nextcloud server has so-called 'service root'
When Nextcloud has a service root part, e.g. it is https://example.org/nextcloud, there was a CSP violation.
```
Refused to send form data to 'https://coolwsd.example.org/browser/739da71/cool.html?WOPISrc=https%3A%2F…gl&title=Foobar.ods&lang=fr&closebutton=1&revisionhistory=1' because it violates the following Content Security Policy directive: "form-action 'self'".
```
Similar to PR #1000
Signed-off-by: Luc Didry <luc@didry.org>
-rw-r--r-- | lib/AppInfo/Application.php | 4 | ||||
-rw-r--r-- | lib/Controller/DocumentController.php | 1 |
2 files changed, 2 insertions, 3 deletions
diff --git a/lib/AppInfo/Application.php b/lib/AppInfo/Application.php index 449d0bcc..9fbb5468 100644 --- a/lib/AppInfo/Application.php +++ b/lib/AppInfo/Application.php @@ -211,9 +211,7 @@ class Application extends App implements IBootstrap { if ($publicWopiUrl !== '') { $policy->addAllowedFrameDomain('\'self\''); $policy->addAllowedFrameDomain($this->domainOnly($publicWopiUrl)); - if (method_exists($policy, 'addAllowedFormActionDomain')) { - $policy->addAllowedFormActionDomain($this->domainOnly($publicWopiUrl)); - } + $policy->addAllowedFormActionDomain($this->domainOnly($publicWopiUrl)); } /** diff --git a/lib/Controller/DocumentController.php b/lib/Controller/DocumentController.php index 23e1bde5..1c14c893 100644 --- a/lib/Controller/DocumentController.php +++ b/lib/Controller/DocumentController.php @@ -159,6 +159,7 @@ class DocumentController extends Controller { $policy = new ContentSecurityPolicy(); $policy->addAllowedFrameDomain($wopiDomain); $policy->allowInlineScript(true); + $policy->addAllowedFormActionDomain($wopiDomain); $response->setContentSecurityPolicy($policy); $featurePolicy = new FeaturePolicy(); |