extern/egroupware
1
0
Fork 1
mirror of https://github.com/EGroupware/egroupware.git synced 2025-01-14 09:58:16 +01:00
Code Issues Packages Projects Releases Wiki Activity

stricter CSP policy for mail body

Browse Source
This commit is contained in:
Ralf Becker 2020-01-28 17:45:36 +01:00
parent d8289ef29d
commit 2ea9549dcf
2 changed files with 16 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
api/src/Header/ContentSecurityPolicy.php
View File

@ -51,10 +51,16 @@ class ContentSecurityPolicy
* *
* @param string $source valid CSP source types like 'script-src', 'style-src', 'connect-src', 'frame-src', ... * @param string $source valid CSP source types like 'script-src', 'style-src', 'connect-src', 'frame-src', ...
* @param string|array $attrs 'unsafe-eval', 'unsafe-inline' (without quotes!), full URLs or protocols (incl. colon!) * @param string|array $attrs 'unsafe-eval', 'unsafe-inline' (without quotes!), full URLs or protocols (incl. colon!)
* 'none' removes all other attributes, even ones set later!
* @param bool $reset =false true: remove existing default or hook attributes
*/ */
public static function add($source, $attrs) public static function add($source, $attrs, $reset=false)
{ {
if (!isset(self::$sources[$source])) if ($reset)
{
self::$sources[$source] = [];
}
elseif (!isset(self::$sources[$source]))
{ {
// set frame-src attrs of API and apps via hook // set frame-src attrs of API and apps via hook
if (in_array($source, ['frame-src', 'connect-src']) && !isset($attrs)) if (in_array($source, ['frame-src', 'connect-src']) && !isset($attrs))
@ -71,7 +77,7 @@ class ContentSecurityPolicy
} }
} }
} }
self::$sources[$source] = array(); self::$sources[$source] = [];
} }
foreach((array)$attrs as $attr) foreach((array)$attrs as $attr)
{ {

7
mail/inc/class.mail_ui.inc.php
View File

@ -3267,6 +3267,13 @@ $filter['before']= date("d-M-Y", $cutoffdate2);
if (!$smime) if (!$smime)
{ {
Api\Session::cache_control(true); Api\Session::cache_control(true);
// more strict CSP for displaying mail
foreach(['frame-src', 'connect-src', 'manifest-src', 'media-src'] as $src)
{
Api\Header\ContentSecurityPolicy::add($src, 'none');
}
Api\Header\ContentSecurityPolicy::add('script-src', 'self', true); // true = remove default 'unsafe-eval'
} }
// Compose the content of the frame // Compose the content of the frame
$frameHtml = $frameHtml =