From e31b0674afb5d74c6bcccbda3044b786dea0a896 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Szymon=20K=C5=82os?= Date: Wed, 24 Mar 2021 14:16:29 +0100 Subject: Setup FeaturePolicy to allow fullscreen MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Szymon Kłos --- lib/Controller/DocumentController.php | 38 +++++++++++++++++++++++------------ 1 file changed, 25 insertions(+), 13 deletions(-) (limited to 'lib') diff --git a/lib/Controller/DocumentController.php b/lib/Controller/DocumentController.php index 2bf25322..8235da68 100644 --- a/lib/Controller/DocumentController.php +++ b/lib/Controller/DocumentController.php @@ -31,6 +31,7 @@ use \OCP\IConfig; use \OCP\IL10N; use \OCP\ILogger; use \OCP\AppFramework\Http\ContentSecurityPolicy; +use \OCP\AppFramework\Http\FeaturePolicy; use \OCP\AppFramework\Http\TemplateResponse; use \OCA\Richdocuments\AppConfig; use \OCA\Richdocuments\Helper; @@ -174,6 +175,22 @@ class DocumentController extends Controller { return "$scheme$host$port"; } + /** + * Setup policy headers for the response + */ + private function setupPolicy($response) { + $wopiDomain = $this->domainOnly($this->appConfig->getAppValue('public_wopi_url')); + + $policy = new ContentSecurityPolicy(); + $policy->addAllowedFrameDomain($wopiDomain); + $policy->allowInlineScript(true); + $response->setContentSecurityPolicy($policy); + + $featurePolicy = new FeaturePolicy(); + $featurePolicy->addAllowedFullScreenDomain($wopiDomain); + $response->setFeaturePolicy($featurePolicy); + } + /** * Redirect to the files app with proper CSP headers set for federated editing * This is a workaround since we cannot set a nonce for allowing dynamic URLs in the richdocument iframe @@ -278,10 +295,7 @@ class DocumentController extends Controller { } $response = new TemplateResponse('richdocuments', 'documents', $params, 'base'); - $policy = new ContentSecurityPolicy(); - $policy->addAllowedFrameDomain($this->domainOnly($this->appConfig->getAppValue('public_wopi_url'))); - $policy->allowInlineScript(true); - $response->setContentSecurityPolicy($policy); + $this->setupPolicy($response); return $response; } catch (\Exception $e) { $this->logger->logException($e, ['app'=>'richdocuments']); @@ -344,10 +358,7 @@ class DocumentController extends Controller { ]; $response = new TemplateResponse('richdocuments', 'documents', $params, 'base'); - $policy = new ContentSecurityPolicy(); - $policy->addAllowedFrameDomain($this->domainOnly($this->appConfig->getAppValue('public_wopi_url'))); - $policy->allowInlineScript(true); - $response->setContentSecurityPolicy($policy); + $this->setupPolicy($response); return $response; } @@ -396,10 +407,7 @@ class DocumentController extends Controller { } $response = new TemplateResponse('richdocuments', 'documents', $params, 'base'); - $policy = new ContentSecurityPolicy(); - $policy->addAllowedFrameDomain($this->domainOnly($this->appConfig->getAppValue('public_wopi_url'))); - $policy->allowInlineScript(true); - $response->setContentSecurityPolicy($policy); + $this->setupPolicy($response); return $response; } } catch (\Exception $e) { @@ -467,11 +475,15 @@ class DocumentController extends Controller { ]; $response = new TemplateResponse('richdocuments', 'documents', $params, 'base'); + $remoteWopi = $this->domainOnly($this->appConfig->getAppValue('wopi_url')); $policy = new ContentSecurityPolicy(); - $policy->addAllowedFrameDomain($this->domainOnly($this->appConfig->getAppValue('wopi_url'))); + $policy->addAllowedFrameDomain($remoteWopi); $policy->allowInlineScript(true); $policy->addAllowedFrameAncestorDomain('https://*'); $response->setContentSecurityPolicy($policy); + $featurePolicy = new FeaturePolicy(); + $featurePolicy->addAllowedFullScreenDomain($remoteWopi); + $response->setFeaturePolicy($featurePolicy); $response->addHeader('X-Frame-Options', 'ALLOW'); return $response; } -- cgit v1.2.3