2016-03-13 15:08:31 +01:00
|
|
|
<?php
|
|
|
|
/**
|
|
|
|
* EGroupware API - Content Security Policy headers
|
|
|
|
*
|
|
|
|
* @link http://www.egroupware.org
|
|
|
|
* @author Ralf Becker <RalfBecker-AT-outdoor-training.de>
|
|
|
|
* @package api
|
|
|
|
* @subpackage header
|
|
|
|
* @access public
|
|
|
|
* @version $Id$
|
|
|
|
*/
|
|
|
|
|
|
|
|
namespace EGroupware\Api\Header;
|
|
|
|
|
2016-05-11 20:58:10 +02:00
|
|
|
use EGroupware\Api;
|
|
|
|
|
2016-03-13 15:08:31 +01:00
|
|
|
/**
|
|
|
|
* Content Security Policy headers
|
|
|
|
*/
|
|
|
|
class ContentSecurityPolicy
|
|
|
|
{
|
|
|
|
/**
|
2020-01-28 17:14:38 +01:00
|
|
|
* Additional attributes or urls for CSP beside always added 'self' for everything not 'none'
|
2016-03-13 15:08:31 +01:00
|
|
|
*
|
2019-01-25 12:41:13 +01:00
|
|
|
* - "script-src 'self' 'unsafe-eval'" allows only self and eval, but forbids inline scripts, onchange, etc
|
2016-03-13 15:08:31 +01:00
|
|
|
* - "connect-src 'self'" allows ajax requests only to self
|
|
|
|
* - "style-src 'self' 'unsafe-inline'" allows only self and inline style, which we need
|
|
|
|
* - "frame-src 'self' manual.egroupware.org" allows frame and iframe content only for self or manual.egroupware.org
|
2020-01-28 17:14:38 +01:00
|
|
|
* - "manifest-src 'self'"
|
2020-01-28 18:19:40 +01:00
|
|
|
* - "'"frame-ancestors 'self'" does not allow to frame (embed in frameset) other then self / clickjacking protection
|
2020-01-28 17:14:38 +01:00
|
|
|
* - "media-src 'self' data:"
|
|
|
|
* - "img-src 'self' data: https:"
|
|
|
|
* - "default-src 'none'" disallows all not explicitly set sources
|
2016-03-13 15:08:31 +01:00
|
|
|
*
|
|
|
|
* @var array
|
|
|
|
*/
|
2020-01-28 17:14:38 +01:00
|
|
|
private static $sources = array( // our dhtmlxcommon version (not the current) uses eval,
|
2022-04-29 17:05:43 +02:00
|
|
|
'script-src' => array("'unsafe-eval'"), // sidebox javascript links, maybe more
|
2020-01-28 17:14:38 +01:00
|
|
|
'style-src' => array("'unsafe-inline'"), // eTemplate styles and custom framework colors
|
2020-04-30 17:31:46 +02:00
|
|
|
'connect-src' => null, // NOT array(), to call the hook
|
|
|
|
'frame-src' => null, // NOT array(), to call the hook
|
2020-01-28 17:14:38 +01:00
|
|
|
'manifest-src'=> ["'self'"],
|
2020-01-28 18:19:40 +01:00
|
|
|
'frame-ancestors' => ["'self'"], // does not allow to frame (embed in frameset) other then self / clickjacking protection
|
2020-01-28 17:14:38 +01:00
|
|
|
'media-src' => ["data:"],
|
2020-10-19 11:14:24 +02:00
|
|
|
'img-src' => ["data:", "https:", "blob:"],
|
2020-01-28 17:14:38 +01:00
|
|
|
'default-src' => ["'none'"], // disallows all not explicit set sources!
|
2016-03-13 15:08:31 +01:00
|
|
|
);
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Add Content-Security-Policy sources
|
|
|
|
*
|
2020-04-30 17:31:46 +02:00
|
|
|
* Calling this method with an empty array for frame-src or connect-src causes the hook to NOT run and just set 'self'!
|
2016-03-13 15:08:31 +01:00
|
|
|
*
|
|
|
|
* @param string $source valid CSP source types like 'script-src', 'style-src', 'connect-src', 'frame-src', ...
|
2022-07-08 14:15:30 +02:00
|
|
|
* @param string|array $_attrs 'unsafe-eval', 'unsafe-inline' (without quotes!), full URLs or protocols (incl. colon!)
|
2020-01-28 17:45:36 +01:00
|
|
|
* 'none' removes all other attributes, even ones set later!
|
|
|
|
* @param bool $reset =false true: remove existing default or hook attributes
|
2016-03-13 15:08:31 +01:00
|
|
|
*/
|
2022-07-08 14:15:30 +02:00
|
|
|
public static function add($source, $_attrs, $reset=false)
|
2016-03-13 15:08:31 +01:00
|
|
|
{
|
2022-07-08 14:15:30 +02:00
|
|
|
$attrs = (array)$_attrs;
|
|
|
|
|
2020-01-28 17:45:36 +01:00
|
|
|
if ($reset)
|
|
|
|
{
|
|
|
|
self::$sources[$source] = [];
|
|
|
|
}
|
|
|
|
elseif (!isset(self::$sources[$source]))
|
2016-03-13 15:08:31 +01:00
|
|
|
{
|
|
|
|
// set frame-src attrs of API and apps via hook
|
2022-07-08 14:15:30 +02:00
|
|
|
if (in_array($source, ['frame-src', 'connect-src']) && $_attrs !== [])
|
2016-03-13 15:08:31 +01:00
|
|
|
{
|
2020-01-28 17:14:38 +01:00
|
|
|
// for regular (non login) pages, call hook allowing apps to add additional frame- and connect-src
|
|
|
|
if (basename($_SERVER['PHP_SELF']) !== 'login.php' &&
|
|
|
|
// no permission / user-run-rights check for connect-src
|
|
|
|
($app_additional = Api\Hooks::process('csp-'.$source, [], $source === 'connect-src')))
|
2016-03-13 15:08:31 +01:00
|
|
|
{
|
2020-01-28 17:14:38 +01:00
|
|
|
foreach($app_additional as $app => $additional)
|
2016-03-13 15:08:31 +01:00
|
|
|
{
|
2022-06-29 08:59:59 +02:00
|
|
|
if ($additional) $attrs = array_unique(array_merge($attrs, $additional));
|
2016-03-13 15:08:31 +01:00
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
2020-01-28 17:45:36 +01:00
|
|
|
self::$sources[$source] = [];
|
2016-03-13 15:08:31 +01:00
|
|
|
}
|
2022-06-13 13:19:54 +02:00
|
|
|
// Shoelace needs connect-src: data:
|
|
|
|
if ($source === 'connect-src') /** @noinspection UnsupportedStringOffsetOperationsInspection */ $attrs[] = 'data:';
|
|
|
|
|
2022-06-29 08:59:59 +02:00
|
|
|
foreach($attrs as $attr)
|
2016-03-13 15:08:31 +01:00
|
|
|
{
|
|
|
|
if (in_array($attr, array('none', 'self', 'unsafe-eval', 'unsafe-inline')))
|
|
|
|
{
|
|
|
|
$attr = "'$attr'"; // automatic add quotes
|
|
|
|
}
|
2020-07-07 13:18:28 +02:00
|
|
|
// only add scheme and host, not path
|
|
|
|
elseif ($source !== 'report-uri' && ($parsed=parse_url($attr)) && !empty($parsed['scheme']) && !empty($parsed['path']))
|
|
|
|
{
|
|
|
|
$attr = $parsed['scheme'].'://'.$parsed['host'].(!empty($parsed['port']) ? ':'.$parsed['port'] : '');
|
|
|
|
}
|
2016-03-13 15:08:31 +01:00
|
|
|
if (!in_array($attr, self::$sources[$source]))
|
|
|
|
{
|
|
|
|
self::$sources[$source][] = $attr;
|
|
|
|
//error_log(__METHOD__."() setting CSP script-src $attr ".function_backtrace());
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2021-06-05 20:39:39 +02:00
|
|
|
/**
|
|
|
|
* Add a nonce to a given source
|
|
|
|
*
|
|
|
|
* @param string $source
|
|
|
|
* @return string
|
|
|
|
* @throws \Exception
|
|
|
|
*/
|
|
|
|
public static function addNonce($source='script-src')
|
|
|
|
{
|
|
|
|
static $nonce=null;
|
|
|
|
if (!isset($nonce))
|
|
|
|
{
|
|
|
|
$nonce = base64_encode(random_bytes(16));
|
|
|
|
self::add($source, "'nonce-$nonce'");
|
|
|
|
}
|
|
|
|
return $nonce;
|
|
|
|
}
|
|
|
|
|
2016-03-13 15:08:31 +01:00
|
|
|
/**
|
|
|
|
* Set Content-Security-Policy attributes for script-src: 'unsafe-eval' and/or 'unsafe-inline'
|
|
|
|
*
|
|
|
|
* Old pre-et2 apps might need to call Api\Headers::script_src_attrs(array('unsafe-eval','unsafe-inline'))
|
|
|
|
*
|
|
|
|
* EGroupware itself currently still requires 'unsafe-eval'!
|
|
|
|
*
|
2020-01-28 17:14:38 +01:00
|
|
|
* @param string|array $set 'unsafe-eval', 'unsafe-inline' (without quotes!), full URLs or protocols (incl. colon!)
|
2016-03-13 15:08:31 +01:00
|
|
|
*/
|
|
|
|
public static function add_script_src($set=null)
|
|
|
|
{
|
|
|
|
self::add('script-src', $set);
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Set Content-Security-Policy attributes for style-src: 'unsafe-inline'
|
|
|
|
*
|
|
|
|
* EGroupware itself currently still requires 'unsafe-inline'!
|
|
|
|
*
|
2020-01-28 17:14:38 +01:00
|
|
|
* @param string|array $set 'unsafe-eval', 'unsafe-inline' (without quotes!), full URLs or protocols (incl. colon!)
|
2016-03-13 15:08:31 +01:00
|
|
|
*/
|
|
|
|
public static function add_style_src($set=null)
|
|
|
|
{
|
|
|
|
self::add('style-src', $set);
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Set Content-Security-Policy attributes for connect-src:
|
|
|
|
*
|
2020-04-30 17:31:46 +02:00
|
|
|
* Calling this method with an empty array for caused the hook to NOT run and just set 'self'!
|
|
|
|
*
|
2020-01-28 17:14:38 +01:00
|
|
|
* @param string|array $set 'unsafe-eval', 'unsafe-inline' (without quotes!), full URLs or protocols (incl. colon!)
|
2016-03-13 15:08:31 +01:00
|
|
|
*/
|
|
|
|
public static function add_connect_src($set=null)
|
|
|
|
{
|
|
|
|
self::add('connect-src', $set);
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Set/get Content-Security-Policy attributes for frame-src:
|
|
|
|
*
|
2020-04-30 17:31:46 +02:00
|
|
|
* Calling this method with an empty array for caused the hook to NOT run and just set 'self'!
|
2016-03-13 15:08:31 +01:00
|
|
|
*
|
2020-01-28 17:14:38 +01:00
|
|
|
* @param string|array $set 'unsafe-eval', 'unsafe-inline' (without quotes!), full URLs or protocols (incl. colon!)
|
2016-03-13 15:08:31 +01:00
|
|
|
*/
|
|
|
|
public static function add_frame_src($set=null)
|
|
|
|
{
|
|
|
|
self::add('frame-src', $set);
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Send Content-Security-Policy header
|
|
|
|
*
|
|
|
|
* @link http://content-security-policy.com/
|
|
|
|
*/
|
|
|
|
public static function send()
|
|
|
|
{
|
2020-01-28 17:14:38 +01:00
|
|
|
self::add('connect-src', null); // set defaults for connect-src (no run rights checked)
|
|
|
|
self::add('frame-src', null); // set defaults for frame-src
|
|
|
|
|
|
|
|
// force default-src 'none'
|
|
|
|
self::$sources['default-src'] = ["'none'"];
|
2016-03-13 15:08:31 +01:00
|
|
|
|
|
|
|
$policies = array();
|
2020-01-28 17:14:38 +01:00
|
|
|
foreach (self::$sources as $source => $urls) {
|
|
|
|
// for 'none' remove source, as we use "default-src 'none'"
|
|
|
|
if (in_array("'none'", $urls)) {
|
|
|
|
if ($source !== 'default-src') continue;
|
|
|
|
}
|
|
|
|
// automatic add 'self', if not 'none'
|
|
|
|
elseif (!in_array("'self'", $urls)) {
|
|
|
|
array_unshift($urls, "'self'");
|
|
|
|
}
|
|
|
|
$policies[] = "$source " . implode(' ', $urls);
|
2016-03-13 15:08:31 +01:00
|
|
|
}
|
2020-01-28 17:14:38 +01:00
|
|
|
self::header(implode('; ', $policies));
|
|
|
|
}
|
2016-03-13 15:08:31 +01:00
|
|
|
|
2020-01-28 17:14:38 +01:00
|
|
|
/**
|
|
|
|
* Send a CSP header with given policy
|
|
|
|
*
|
|
|
|
* @param {string} $csp
|
|
|
|
*/
|
|
|
|
public static function header($csp)
|
|
|
|
{
|
2016-03-13 15:08:31 +01:00
|
|
|
$user_agent = UserAgent::type();
|
|
|
|
$version = UserAgent::version();
|
|
|
|
|
2020-01-28 17:14:38 +01:00
|
|
|
// recommendation is to not send regular AND deprecated headers together, as they can cause unexpected behavior
|
|
|
|
if ($user_agent === 'chrome' && $version < 25 || $user_agent === 'safari' && $version < 7)
|
2016-03-13 15:08:31 +01:00
|
|
|
{
|
|
|
|
header("X-Webkit-CSP: $csp"); // Chrome: <= 24, Safari incl. iOS
|
|
|
|
}
|
2020-01-28 17:14:38 +01:00
|
|
|
elseif ($user_agent === 'firefox' && $version < 23 || $user_agent === 'msie') // Edge is reported as 'edge'!
|
2016-03-13 15:08:31 +01:00
|
|
|
{
|
|
|
|
header("X-Content-Security-Policy: $csp");
|
|
|
|
}
|
|
|
|
else
|
|
|
|
{
|
|
|
|
header("Content-Security-Policy: $csp");
|
|
|
|
}
|
|
|
|
}
|
2022-04-29 17:05:43 +02:00
|
|
|
}
|