stricter CSP policy for mail body

2024-10-05 09:42:30 +02:00 · 2020-01-28 17:45:36 +01:00 · 2020-01-28 17:45:36 +01:00 · 2ea9549dcf
commit 2ea9549dcf
parent d8289ef29d
2 changed files with 16 additions and 3 deletions
--- a/api/src/Header/ContentSecurityPolicy.php
+++ b/api/src/Header/ContentSecurityPolicy.php
@ -51,10 +51,16 @@ class ContentSecurityPolicy
 	 *
 	 * @param string $source valid CSP source types like 'script-src', 'style-src', 'connect-src', 'frame-src', ...
 	 * @param string|array $attrs 'unsafe-eval', 'unsafe-inline' (without quotes!), full URLs or protocols (incl. colon!)
+	 * 	'none' removes all other attributes, even ones set later!
+	 * @param bool $reset =false true: remove existing default or hook attributes
 	 */
-	public static function add($source, $attrs)
+	public static function add($source, $attrs, $reset=false)
 	{
-		if (!isset(self::$sources[$source]))
+		if ($reset)
+		{
+			self::$sources[$source] = [];
+		}
+		elseif (!isset(self::$sources[$source]))
 		{
 			// set frame-src attrs of API and apps via hook
 			if (in_array($source, ['frame-src', 'connect-src']) && !isset($attrs))
@ -71,7 +77,7 @@ class ContentSecurityPolicy
 					}
 				}
 			}
-			self::$sources[$source] = array();
+			self::$sources[$source] = [];
 		}
 		foreach((array)$attrs as $attr)
 		{
--- a/mail/inc/class.mail_ui.inc.php
+++ b/mail/inc/class.mail_ui.inc.php
@ -3267,6 +3267,13 @@ $filter['before']= date("d-M-Y", $cutoffdate2);
 		if (!$smime)
 		{
 			Api\Session::cache_control(true);
+
+			// more strict CSP for displaying mail
+			foreach(['frame-src', 'connect-src', 'manifest-src', 'media-src'] as $src)
+			{
+				Api\Header\ContentSecurityPolicy::add($src, 'none');
+			}
+			Api\Header\ContentSecurityPolicy::add('script-src', 'self', true);	// true = remove default 'unsafe-eval'
 		}
 		// Compose the content of the frame
 		$frameHtml =