egroupware_official/api/src/Header/ContentSecurityPolicy.php

<?php
/**
 * EGroupware API - Content Security Policy headers
 *
 * @link http://www.egroupware.org
 * @author Ralf Becker <RalfBecker-AT-outdoor-training.de>
 * @package api
 * @subpackage header
 * @access public
 * @version $Id$
 */

namespace EGroupware\Api\Header;

use EGroupware\Api;

/**
 * Content Security Policy headers
 */
class ContentSecurityPolicy
{
	/**
	 * Additional attributes or urls for CSP beside always added 'self' for everything not 'none'
	 *
	 *	- "script-src 'self' 'unsafe-eval'" allows only self and eval, but forbids inline scripts, onchange, etc
	 *	- "connect-src 'self'" allows ajax requests only to self
	 *	- "style-src 'self' 'unsafe-inline'" allows only self and inline style, which we need
	 *	- "frame-src 'self' manual.egroupware.org" allows frame and iframe content only for self or manual.egroupware.org
	 *	- "manifest-src 'self'"
	 *  - "'"frame-ancestors 'self'" does not allow to frame (embed in frameset) other then self / clickjacking protection
	 *	- "media-src 'self' data:"
	 *	- "img-src 'self' data: https:"
	 *	- "default-src 'none'" disallows all not explicitly set sources
	 *
	 * @var array
	 */
	private static $sources = array(				// our dhtmlxcommon version (not the current) uses eval,
		'script-src'  => array("'unsafe-eval'"),	// sidebox javascript links, et2_widget_date / jQueryUI datepicker, maybe more
		'style-src'   => array("'unsafe-inline'"),	// eTemplate styles and custom framework colors
		'connect-src' => null,	// NOT array(), to allow setting no default connect-src!
		'frame-src'   => null,	// NOT array(), to allow setting no default frame-src!
		'manifest-src'=> ["'self'"],
		'frame-ancestors' => ["'self'"],	// does not allow to frame (embed in frameset) other then self / clickjacking protection
		'media-src'   => ["data:"],
		'img-src'     => ["data:", "https:"],
		'default-src' => ["'none'"],	// disallows all not explicit set sources!
	);

	/**
	 * Add Content-Security-Policy sources
	 *
	 * Calling this method with an empty array for frame-src, sets no defaults but "'self'"!
	 *
	 * @param string $source valid CSP source types like 'script-src', 'style-src', 'connect-src', 'frame-src', ...
	 * @param string|array $attrs 'unsafe-eval', 'unsafe-inline' (without quotes!), full URLs or protocols (incl. colon!)
	 * 	'none' removes all other attributes, even ones set later!
	 * @param bool $reset =false true: remove existing default or hook attributes
	 */
	public static function add($source, $attrs, $reset=false)
	{
		if ($reset)
		{
			self::$sources[$source] = [];
		}
		elseif (!isset(self::$sources[$source]))
		{
			// set frame-src attrs of API and apps via hook
			if (in_array($source, ['frame-src', 'connect-src']) && !isset($attrs))
			{
				$attrs = [];
				// for regular (non login) pages, call hook allowing apps to add additional frame- and connect-src
				if (basename($_SERVER['PHP_SELF']) !== 'login.php' &&
					// no permission / user-run-rights check for connect-src
					($app_additional = Api\Hooks::process('csp-'.$source, [], $source === 'connect-src')))
				{
					foreach($app_additional as $app => $additional)
					{
						if ($additional) $attrs = array_unique(array_merge($attrs, $additional));
					}
				}
			}
			self::$sources[$source] = [];
		}
		foreach((array)$attrs as $attr)
		{
			if (in_array($attr, array('none', 'self', 'unsafe-eval', 'unsafe-inline')))
			{
				$attr = "'$attr'";	// automatic add quotes
			}
			if (!in_array($attr, self::$sources[$source]))
			{
				self::$sources[$source][] = $attr;
				//error_log(__METHOD__."() setting CSP script-src $attr ".function_backtrace());
			}
		}
	}

	/**
	 * Set Content-Security-Policy attributes for script-src: 'unsafe-eval' and/or 'unsafe-inline'
	 *
	 * Old pre-et2 apps might need to call Api\Headers::script_src_attrs(array('unsafe-eval','unsafe-inline'))
	 *
	 * EGroupware itself currently still requires 'unsafe-eval'!
	 *
	 * @param string|array $set 'unsafe-eval', 'unsafe-inline' (without quotes!), full URLs or protocols (incl. colon!)
	 */
	public static function add_script_src($set=null)
	{
		self::add('script-src', $set);
	}

	/**
	 * Set Content-Security-Policy attributes for style-src: 'unsafe-inline'
	 *
	 * EGroupware itself currently still requires 'unsafe-inline'!
	 *
	 * @param string|array $set 'unsafe-eval', 'unsafe-inline' (without quotes!), full URLs or protocols (incl. colon!)
	 */
	public static function add_style_src($set=null)
	{
		self::add('style-src', $set);
	}

	/**
	 * Set Content-Security-Policy attributes for connect-src:
	 *
	 * @param string|array $set 'unsafe-eval', 'unsafe-inline' (without quotes!), full URLs or protocols (incl. colon!)
	 */
	public static function add_connect_src($set=null)
	{
		self::add('connect-src', $set);
	}

	/**
	 * Set/get Content-Security-Policy attributes for frame-src:
	 *
	 * Calling this method with an empty array sets no frame-src, but "'self'"!
	 *
	 * @param string|array $set 'unsafe-eval', 'unsafe-inline' (without quotes!), full URLs or protocols (incl. colon!)
	 */
	public static function add_frame_src($set=null)
	{
		self::add('frame-src', $set);
	}

	/**
	 * Send Content-Security-Policy header
	 *
	 * @link http://content-security-policy.com/
	 */
	public static function send()
	{
		self::add('connect-src', null);    // set defaults for connect-src (no run rights checked)
		self::add('frame-src', null);    // set defaults for frame-src

		// force default-src 'none'
		self::$sources['default-src'] = ["'none'"];

		$policies = array();
		foreach (self::$sources as $source => $urls) {
			// for 'none' remove source, as we use "default-src 'none'"
			if (in_array("'none'", $urls)) {
				if ($source !== 'default-src') continue;
			}
			// automatic add 'self', if not 'none'
			elseif (!in_array("'self'", $urls)) {
				array_unshift($urls, "'self'");
			}
			$policies[] = "$source " . implode(' ', $urls);
		}
		self::header(implode('; ', $policies));
	}

	/**
	 * Send a CSP header with given policy
	 *
	 * @param {string} $csp
	 */
	public static function header($csp)
	{
		$user_agent = UserAgent::type();
		$version = UserAgent::version();

		// recommendation is to not send regular AND deprecated headers together, as they can cause unexpected behavior
		if ($user_agent === 'chrome' && $version < 25 || $user_agent === 'safari' && $version < 7)
		{
			header("X-Webkit-CSP: $csp");	// Chrome: <= 24, Safari incl. iOS
		}
		elseif ($user_agent === 'firefox' && $version < 23 || $user_agent === 'msie')	// Edge is reported as 'edge'!
		{
			header("X-Content-Security-Policy: $csp");
		}
		else
		{
			header("Content-Security-Policy: $csp");
		}
	}
}
move egw_framework::csp__source_attrs($attrs) to Api\Header\ContentSecurityPolicy::add(-src, $attrs) and egw_ckeditor_config to Api\Html\CkEditorConfig 2016-03-13 15:08:31 +01:00			`<?php`
			`/**`
			`* EGroupware API - Content Security Policy headers`
			`*`
			`* @link http://www.egroupware.org`
			`* @author Ralf Becker <RalfBecker-AT-outdoor-training.de>`
			`* @package api`
			`* @subpackage header`
			`* @access public`
			`* @version $Id$`
			`*/`

			`namespace EGroupware\Api\Header;`

use static Hooks methods 2016-05-11 20:58:10 +02:00			`use EGroupware\Api;`

move egw_framework::csp__source_attrs($attrs) to Api\Header\ContentSecurityPolicy::add(-src, $attrs) and egw_ckeditor_config to Api\Html\CkEditorConfig 2016-03-13 15:08:31 +01:00			`/**`
			`* Content Security Policy headers`
			`*/`
			`class ContentSecurityPolicy`
			`{`
			`/**`
stricter CSP policy 2020-01-28 17:14:38 +01:00			`* Additional attributes or urls for CSP beside always added 'self' for everything not 'none'`
move egw_framework::csp__source_attrs($attrs) to Api\Header\ContentSecurityPolicy::add(-src, $attrs) and egw_ckeditor_config to Api\Html\CkEditorConfig 2016-03-13 15:08:31 +01:00			`*`
Deprecate CKEDITOR and remove it from source 2019-01-25 12:41:13 +01:00			`* - "script-src 'self' 'unsafe-eval'" allows only self and eval, but forbids inline scripts, onchange, etc`
move egw_framework::csp__source_attrs($attrs) to Api\Header\ContentSecurityPolicy::add(-src, $attrs) and egw_ckeditor_config to Api\Html\CkEditorConfig 2016-03-13 15:08:31 +01:00			`* - "connect-src 'self'" allows ajax requests only to self`
			`* - "style-src 'self' 'unsafe-inline'" allows only self and inline style, which we need`
			`* - "frame-src 'self' manual.egroupware.org" allows frame and iframe content only for self or manual.egroupware.org`
stricter CSP policy 2020-01-28 17:14:38 +01:00			`* - "manifest-src 'self'"`
adding CSP frame-ancestors 'self' policy to mitigate clickjacking 2020-01-28 18:19:40 +01:00			`* - "'"frame-ancestors 'self'" does not allow to frame (embed in frameset) other then self / clickjacking protection`
stricter CSP policy 2020-01-28 17:14:38 +01:00			`* - "media-src 'self' data:"`
			`* - "img-src 'self' data: https:"`
			`* - "default-src 'none'" disallows all not explicitly set sources`
move egw_framework::csp__source_attrs($attrs) to Api\Header\ContentSecurityPolicy::add(-src, $attrs) and egw_ckeditor_config to Api\Html\CkEditorConfig 2016-03-13 15:08:31 +01:00			`*`
			`* @var array`
			`*/`
stricter CSP policy 2020-01-28 17:14:38 +01:00			`private static $sources = array( // our dhtmlxcommon version (not the current) uses eval,`
			`'script-src' => array("'unsafe-eval'"), // sidebox javascript links, et2_widget_date / jQueryUI datepicker, maybe more`
			`'style-src' => array("'unsafe-inline'"), // eTemplate styles and custom framework colors`
support for new Swoole push server 2019-11-04 09:29:49 +01:00			`'connect-src' => null, // NOT array(), to allow setting no default connect-src!`
move egw_framework::csp__source_attrs($attrs) to Api\Header\ContentSecurityPolicy::add(-src, $attrs) and egw_ckeditor_config to Api\Html\CkEditorConfig 2016-03-13 15:08:31 +01:00			`'frame-src' => null, // NOT array(), to allow setting no default frame-src!`
stricter CSP policy 2020-01-28 17:14:38 +01:00			`'manifest-src'=> ["'self'"],`
adding CSP frame-ancestors 'self' policy to mitigate clickjacking 2020-01-28 18:19:40 +01:00			`'frame-ancestors' => ["'self'"], // does not allow to frame (embed in frameset) other then self / clickjacking protection`
stricter CSP policy 2020-01-28 17:14:38 +01:00			`'media-src' => ["data:"],`
			`'img-src' => ["data:", "https:"],`
			`'default-src' => ["'none'"], // disallows all not explicit set sources!`
move egw_framework::csp__source_attrs($attrs) to Api\Header\ContentSecurityPolicy::add(-src, $attrs) and egw_ckeditor_config to Api\Html\CkEditorConfig 2016-03-13 15:08:31 +01:00			`);`

			`/**`
			`* Add Content-Security-Policy sources`
			`*`
			`* Calling this method with an empty array for frame-src, sets no defaults but "'self'"!`
			`*`
			`* @param string $source valid CSP source types like 'script-src', 'style-src', 'connect-src', 'frame-src', ...`
stricter CSP policy 2020-01-28 17:14:38 +01:00			`* @param string\|array $attrs 'unsafe-eval', 'unsafe-inline' (without quotes!), full URLs or protocols (incl. colon!)`
stricter CSP policy for mail body 2020-01-28 17:45:36 +01:00			`* 'none' removes all other attributes, even ones set later!`
			`* @param bool $reset =false true: remove existing default or hook attributes`
move egw_framework::csp__source_attrs($attrs) to Api\Header\ContentSecurityPolicy::add(-src, $attrs) and egw_ckeditor_config to Api\Html\CkEditorConfig 2016-03-13 15:08:31 +01:00			`*/`
stricter CSP policy for mail body 2020-01-28 17:45:36 +01:00			`public static function add($source, $attrs, $reset=false)`
move egw_framework::csp__source_attrs($attrs) to Api\Header\ContentSecurityPolicy::add(-src, $attrs) and egw_ckeditor_config to Api\Html\CkEditorConfig 2016-03-13 15:08:31 +01:00			`{`
stricter CSP policy for mail body 2020-01-28 17:45:36 +01:00			`if ($reset)`
			`{`
			`self::$sources[$source] = [];`
			`}`
			`elseif (!isset(self::$sources[$source]))`
move egw_framework::csp__source_attrs($attrs) to Api\Header\ContentSecurityPolicy::add(-src, $attrs) and egw_ckeditor_config to Api\Html\CkEditorConfig 2016-03-13 15:08:31 +01:00			`{`
			`// set frame-src attrs of API and apps via hook`
support for new Swoole push server 2019-11-04 09:29:49 +01:00			`if (in_array($source, ['frame-src', 'connect-src']) && !isset($attrs))`
move egw_framework::csp__source_attrs($attrs) to Api\Header\ContentSecurityPolicy::add(-src, $attrs) and egw_ckeditor_config to Api\Html\CkEditorConfig 2016-03-13 15:08:31 +01:00			`{`
support for new Swoole push server 2019-11-04 09:29:49 +01:00			`$attrs = [];`
stricter CSP policy 2020-01-28 17:14:38 +01:00			`// for regular (non login) pages, call hook allowing apps to add additional frame- and connect-src`
			`if (basename($_SERVER['PHP_SELF']) !== 'login.php' &&`
			`// no permission / user-run-rights check for connect-src`
			`($app_additional = Api\Hooks::process('csp-'.$source, [], $source === 'connect-src')))`
move egw_framework::csp__source_attrs($attrs) to Api\Header\ContentSecurityPolicy::add(-src, $attrs) and egw_ckeditor_config to Api\Html\CkEditorConfig 2016-03-13 15:08:31 +01:00			`{`
stricter CSP policy 2020-01-28 17:14:38 +01:00			`foreach($app_additional as $app => $additional)`
move egw_framework::csp__source_attrs($attrs) to Api\Header\ContentSecurityPolicy::add(-src, $attrs) and egw_ckeditor_config to Api\Html\CkEditorConfig 2016-03-13 15:08:31 +01:00			`{`
stricter CSP policy 2020-01-28 17:14:38 +01:00			`if ($additional) $attrs = array_unique(array_merge($attrs, $additional));`
move egw_framework::csp__source_attrs($attrs) to Api\Header\ContentSecurityPolicy::add(-src, $attrs) and egw_ckeditor_config to Api\Html\CkEditorConfig 2016-03-13 15:08:31 +01:00			`}`
			`}`
			`}`
stricter CSP policy for mail body 2020-01-28 17:45:36 +01:00			`self::$sources[$source] = [];`
move egw_framework::csp__source_attrs($attrs) to Api\Header\ContentSecurityPolicy::add(-src, $attrs) and egw_ckeditor_config to Api\Html\CkEditorConfig 2016-03-13 15:08:31 +01:00			`}`
			`foreach((array)$attrs as $attr)`
			`{`
			`if (in_array($attr, array('none', 'self', 'unsafe-eval', 'unsafe-inline')))`
			`{`
			`$attr = "'$attr'"; // automatic add quotes`
			`}`
			`if (!in_array($attr, self::$sources[$source]))`
			`{`
			`self::$sources[$source][] = $attr;`
			`//error_log(__METHOD__."() setting CSP script-src $attr ".function_backtrace());`
			`}`
			`}`
			`}`

			`/**`
			`* Set Content-Security-Policy attributes for script-src: 'unsafe-eval' and/or 'unsafe-inline'`
			`*`
			`* Old pre-et2 apps might need to call Api\Headers::script_src_attrs(array('unsafe-eval','unsafe-inline'))`
			`*`
			`* EGroupware itself currently still requires 'unsafe-eval'!`
			`*`
stricter CSP policy 2020-01-28 17:14:38 +01:00			`* @param string\|array $set 'unsafe-eval', 'unsafe-inline' (without quotes!), full URLs or protocols (incl. colon!)`
move egw_framework::csp__source_attrs($attrs) to Api\Header\ContentSecurityPolicy::add(-src, $attrs) and egw_ckeditor_config to Api\Html\CkEditorConfig 2016-03-13 15:08:31 +01:00			`*/`
			`public static function add_script_src($set=null)`
			`{`
			`self::add('script-src', $set);`
			`}`

			`/**`
			`* Set Content-Security-Policy attributes for style-src: 'unsafe-inline'`
			`*`
			`* EGroupware itself currently still requires 'unsafe-inline'!`
			`*`
stricter CSP policy 2020-01-28 17:14:38 +01:00			`* @param string\|array $set 'unsafe-eval', 'unsafe-inline' (without quotes!), full URLs or protocols (incl. colon!)`
move egw_framework::csp__source_attrs($attrs) to Api\Header\ContentSecurityPolicy::add(-src, $attrs) and egw_ckeditor_config to Api\Html\CkEditorConfig 2016-03-13 15:08:31 +01:00			`*/`
			`public static function add_style_src($set=null)`
			`{`
			`self::add('style-src', $set);`
			`}`

			`/**`
			`* Set Content-Security-Policy attributes for connect-src:`
			`*`
stricter CSP policy 2020-01-28 17:14:38 +01:00			`* @param string\|array $set 'unsafe-eval', 'unsafe-inline' (without quotes!), full URLs or protocols (incl. colon!)`
move egw_framework::csp__source_attrs($attrs) to Api\Header\ContentSecurityPolicy::add(-src, $attrs) and egw_ckeditor_config to Api\Html\CkEditorConfig 2016-03-13 15:08:31 +01:00			`*/`
			`public static function add_connect_src($set=null)`
			`{`
			`self::add('connect-src', $set);`
			`}`

			`/**`
			`* Set/get Content-Security-Policy attributes for frame-src:`
			`*`
			`* Calling this method with an empty array sets no frame-src, but "'self'"!`
			`*`
stricter CSP policy 2020-01-28 17:14:38 +01:00			`* @param string\|array $set 'unsafe-eval', 'unsafe-inline' (without quotes!), full URLs or protocols (incl. colon!)`
move egw_framework::csp__source_attrs($attrs) to Api\Header\ContentSecurityPolicy::add(-src, $attrs) and egw_ckeditor_config to Api\Html\CkEditorConfig 2016-03-13 15:08:31 +01:00			`*/`
			`public static function add_frame_src($set=null)`
			`{`
			`self::add('frame-src', $set);`
			`}`

			`/**`
			`* Send Content-Security-Policy header`
			`*`
			`* @link http://content-security-policy.com/`
			`*/`
			`public static function send()`
			`{`
stricter CSP policy 2020-01-28 17:14:38 +01:00			`self::add('connect-src', null); // set defaults for connect-src (no run rights checked)`
			`self::add('frame-src', null); // set defaults for frame-src`

			`// force default-src 'none'`
			`self::$sources['default-src'] = ["'none'"];`
move egw_framework::csp__source_attrs($attrs) to Api\Header\ContentSecurityPolicy::add(-src, $attrs) and egw_ckeditor_config to Api\Html\CkEditorConfig 2016-03-13 15:08:31 +01:00
			`$policies = array();`
stricter CSP policy 2020-01-28 17:14:38 +01:00			`foreach (self::$sources as $source => $urls) {`
			`// for 'none' remove source, as we use "default-src 'none'"`
			`if (in_array("'none'", $urls)) {`
			`if ($source !== 'default-src') continue;`
			`}`
			`// automatic add 'self', if not 'none'`
			`elseif (!in_array("'self'", $urls)) {`
			`array_unshift($urls, "'self'");`
			`}`
			`$policies[] = "$source " . implode(' ', $urls);`
move egw_framework::csp__source_attrs($attrs) to Api\Header\ContentSecurityPolicy::add(-src, $attrs) and egw_ckeditor_config to Api\Html\CkEditorConfig 2016-03-13 15:08:31 +01:00			`}`
stricter CSP policy 2020-01-28 17:14:38 +01:00			`self::header(implode('; ', $policies));`
			`}`
move egw_framework::csp__source_attrs($attrs) to Api\Header\ContentSecurityPolicy::add(-src, $attrs) and egw_ckeditor_config to Api\Html\CkEditorConfig 2016-03-13 15:08:31 +01:00
stricter CSP policy 2020-01-28 17:14:38 +01:00			`/**`
			`* Send a CSP header with given policy`
			`*`
			`* @param {string} $csp`
			`*/`
			`public static function header($csp)`
			`{`
move egw_framework::csp__source_attrs($attrs) to Api\Header\ContentSecurityPolicy::add(-src, $attrs) and egw_ckeditor_config to Api\Html\CkEditorConfig 2016-03-13 15:08:31 +01:00			`$user_agent = UserAgent::type();`
			`$version = UserAgent::version();`

stricter CSP policy 2020-01-28 17:14:38 +01:00			`// recommendation is to not send regular AND deprecated headers together, as they can cause unexpected behavior`
			`if ($user_agent === 'chrome' && $version < 25 \|\| $user_agent === 'safari' && $version < 7)`
move egw_framework::csp__source_attrs($attrs) to Api\Header\ContentSecurityPolicy::add(-src, $attrs) and egw_ckeditor_config to Api\Html\CkEditorConfig 2016-03-13 15:08:31 +01:00			`{`
			`header("X-Webkit-CSP: $csp"); // Chrome: <= 24, Safari incl. iOS`
			`}`
stricter CSP policy 2020-01-28 17:14:38 +01:00			`elseif ($user_agent === 'firefox' && $version < 23 \|\| $user_agent === 'msie') // Edge is reported as 'edge'!`
move egw_framework::csp__source_attrs($attrs) to Api\Header\ContentSecurityPolicy::add(-src, $attrs) and egw_ckeditor_config to Api\Html\CkEditorConfig 2016-03-13 15:08:31 +01:00			`{`
			`header("X-Content-Security-Policy: $csp");`
			`}`
			`else`
			`{`
			`header("Content-Security-Policy: $csp");`
			`}`
			`}`
			`}`