extern/egroupware_official
1
0
Fork 0
mirror of https://github.com/EGroupware/egroupware.git synced 2024-12-22 06:30:59 +01:00
Code Issues Packages Projects Releases Wiki Activity

move egw_framework::csp_*_source_attrs($attrs) to Api\Header\ContentSecurityPolicy::add(*-src, $attrs) and egw_ckeditor_config to Api\Html\CkEditorConfig

Browse Source
This commit is contained in:
Ralf Becker 2016-03-13 14:08:31 +00:00
parent 69a070498b
commit 99714aa9e9
6 changed files with 702 additions and 619 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

164
api/src/Header/ContentSecurityPolicy.php Normal file
View File

@ -0,0 +1,164 @@
<?php
/**
* EGroupware API - Content Security Policy headers
*
* @link http://www.egroupware.org
* @author Ralf Becker <RalfBecker-AT-outdoor-training.de>
* @package api
* @subpackage header
* @access public
* @version $Id$
*/
namespace EGroupware\Api\Header;
/**
* Content Security Policy headers
*/
class ContentSecurityPolicy
{
/**
* Additional attributes or urls for CSP beside always added "self"
*
* - "script-src 'self' 'unsafe-eval'" allows only self and eval (eg. ckeditor), but forbids inline scripts, onchange, etc
* - "connect-src 'self'" allows ajax requests only to self
* - "style-src 'self' 'unsafe-inline'" allows only self and inline style, which we need
* - "frame-src 'self' manual.egroupware.org" allows frame and iframe content only for self or manual.egroupware.org
*
* @var array
*/
private static $sources = array(
'script-src' => array("'unsafe-eval'"),
'style-src' => array("'unsafe-inline'"),
'connect-src' => array(),
'frame-src' => null, // NOT array(), to allow setting no default frame-src!
);
/**
* Add Content-Security-Policy sources
*
* Calling this method with an empty array for frame-src, sets no defaults but "'self'"!
*
* @param string|array $set =array() URL (incl. protocol!)
* @param string $source valid CSP source types like 'script-src', 'style-src', 'connect-src', 'frame-src', ...
* @param string|array $attrs 'unsafe-eval' and/or 'unsafe-inline' (without quotes!) or URL (incl. protocol!)
*/
public static function add($source, $attrs)
{
if (!isset(self::$sources[$source]))
{
// set frame-src attrs of API and apps via hook
if ($source == 'frame-src' && !isset($attrs))
{
$attrs = array('manual.egroupware.org', 'www.egroupware.org');
if (($app_additional = $GLOBALS['egw']->hooks->process('csp-frame-src')))
{
foreach($app_additional as $addtional)
{
if ($addtional) $attrs = array_unique(array_merge($attrs, $addtional));
}
}
}
self::$sources[$source] = array();
}
foreach((array)$attrs as $attr)
{
if (in_array($attr, array('none', 'self', 'unsafe-eval', 'unsafe-inline')))
{
$attr = "'$attr'"; // automatic add quotes
}
if (!in_array($attr, self::$sources[$source]))
{
self::$sources[$source][] = $attr;
//error_log(__METHOD__."() setting CSP script-src $attr ".function_backtrace());
}
}
}
/**
* Set Content-Security-Policy attributes for script-src: 'unsafe-eval' and/or 'unsafe-inline'
*
* Using CK-Editor currently requires both to be set :(
*
* Old pre-et2 apps might need to call Api\Headers::script_src_attrs(array('unsafe-eval','unsafe-inline'))
*
* EGroupware itself currently still requires 'unsafe-eval'!
*
* @param string|array $set =array() 'unsafe-eval' and/or 'unsafe-inline' (without quotes!) or URL (incl. protocol!)
*/
public static function add_script_src($set=null)
{
self::add('script-src', $set);
}
/**
* Set Content-Security-Policy attributes for style-src: 'unsafe-inline'
*
* EGroupware itself currently still requires 'unsafe-inline'!
*
* @param string|array $set =array() 'unsafe-inline' (without quotes!) and/or URL (incl. protocol!)
*/
public static function add_style_src($set=null)
{
self::add('style-src', $set);
}
/**
* Set Content-Security-Policy attributes for connect-src:
*
* @param string|array $set =array() URL (incl. protocol!)
*/
public static function add_connect_src($set=null)
{
self::add('connect-src', $set);
}
/**
* Set/get Content-Security-Policy attributes for frame-src:
*
* Calling this method with an empty array sets no frame-src, but "'self'"!
*
* @param string|array $set =array() URL (incl. protocol!)
* @return string with attributes eg. "'unsafe-inline'"
*/
public static function add_frame_src($set=null)
{
self::add('frame-src', $set);
}
/**
* Send Content-Security-Policy header
*
* @link http://content-security-policy.com/
*/
public static function send()
{
self::add('frame-src', null); // set defaults for frame-src
$policies = array();
foreach(self::$sources as $source => $urls)
{
$policies[] = "$source 'self' ".implode(' ', $urls);
}
$csp = implode('; ', $policies);
//$csp = "default-src * 'unsafe-eval' 'unsafe-inline'"; // allow everything
$user_agent = UserAgent::type();
$version = UserAgent::version();
// recommendaton ist to not send regular AND deprecated headers together, as they can cause unexpected behavior
if ($user_agent == 'chrome' && $version < 25 || $user_agent == 'safari' && $version < 7)
{
header("X-Webkit-CSP: $csp"); // Chrome: <= 24, Safari incl. iOS
}
elseif ($user_agent == 'firefox' && $version < 23 || $user_agent == 'msie') // Edge is reported as 'edge'!
{
header("X-Content-Security-Policy: $csp");
}
else
{
header("Content-Security-Policy: $csp");
}
}
}

2
api/src/Header/UserAgent.php
View File

@ -50,7 +50,7 @@ class UserAgent
}
/**
* user-agent: 'firefox', 'msie', 'safari' (incl. iPhone), 'chrome', 'opera', 'konqueror', 'mozilla'
* user-agent: 'firefox', 'msie', 'edge', 'safari' (incl. iPhone), 'chrome', 'opera', 'konqueror', 'mozilla'
*
* @var string
*/

5
api/src/Html.php
View File

@ -16,7 +16,6 @@ namespace EGroupware\Api;
// explicitly import classes not yet imported into Api
use egw_framework; // validate_file, includeCSS
use egw_ckeditor_config;
use egw; // link
/**
@ -437,7 +436,7 @@ class Html
// User preferences
$font = $GLOBALS['egw_info']['user']['preferences']['common']['rte_font'];
$font_size = egw_ckeditor_config::font_size_from_prefs();
$font_size = Html\CkEditorConfing::font_size_from_prefs();
$font_span = '<span '.($font||$font_size?'style=\"':'').($font?'font-family:'.$font.'; ':'').($font_size?'font-size:'.$font_size.'; ':'').'\">';
if (empty($font) && empty($font_size)) $font_span = '';
@ -449,7 +448,7 @@ class Html
<script type="text/javascript">
window.CKEDITOR_BASEPATH="'.$GLOBALS['egw_info']['server']['webserver_url'].'/phpgwapi/js/ckeditor/";
egw_LAB.wait(function() {
CKEDITOR.replace("'.$_name.'", '.egw_ckeditor_config::get_ckeditor_config($_mode,
CKEDITOR.replace("'.$_name.'", '.Html\CkEditorConfing::get_ckeditor_config($_mode,
$pxheight, $expanded, $_start_path).');
CKEDITOR.addCss("body { margin: 5px; }");
CKEDITOR.instances["'.$_name.'"].on(

518
api/src/Html/CkEditorConfig.php Normal file
View File

@ -0,0 +1,518 @@
<?php
/**
* EGroupware - Class which generates JSON encoded configuration for the ckeditor
*
* @link http://www.egroupware.org
* @author RalfBecker-AT-outdoor-training.de
* @author Andreas Stoeckel <as-AT-stylite.de>
* @package api
* @subpackage html
* @license http://opensource.org/licenses/gpl-license.php GPL - GNU General Public License
* @version $Id$
*/
namespace EGroupware\Api\Html;
use EGroupware\Api\Header\ContentSecurityPolicy;
/**
* CK-Editor configuration
*/
class CkEditorConfig
{
private static $lang = null;
private static $country = null;
private static $enterMode = null;
private static $skin = null;
// Defaults, defined in phpgwapi/js/ckeditor/plugins/font/plugin.js
public static $font_options = array(
'arial, helvetica, sans-serif' => 'Arial',
'Comic Sans MS, cursive' => 'Comic Sans MS',
'Courier New, Courier, monospace' => 'Courier New',
'Georgia, serif' => 'Georgia',
'Lucida Sans Unicode, Lucida Grande, sans-serif' => 'Lucida Sans Unicode',
'Tahoma, Geneva, sans-serif' => 'Tahoma',
'times new roman, times, serif' => 'Times New Roman',
'Trebuchet MS, Helvetica, sans-serif' => 'Trebuchet MS',
'Verdana, Geneva, sans-serif' => 'Verdana'
);
public static $font_size_options = array(
8 => '8',
9 => '9',
10 => '10',
11 => '11',
12 => '12',
14 => '14',
16 => '16',
18 => '18',
20 => '20',
22 => '22',
24 => '24',
26 => '26',
28 => '28',
36 => '36',
48 => '48',
72 => '72',
);
public static $font_unit_options = array(
'pt' => 'pt: points (1/72 inch)',
'px' => 'px: display pixels',
);
/**
* Get available CKEditor Skins
*
* Only return skins existing in filesystem, as we disable / remove them if not compatible with supported browsers.
*
* @return array skin => label pairs alphabetical sorted with default moono first
*/
public static function getAvailableCKEditorSkins()
{
$labels = array(
'kama' => lang('kama theme'),
'moono' => lang('moono theme (default)'),
'moonocolor' => lang('moono color theme'),
'moono-dark' => lang('dark moono theme'),
'Moono_blue' => lang('blue moono theme'),
'bootstrapck' => lang('bootstrap theme for ckeditor'),
'icy_orange' => lang('icy-orange theme for ckeditor'),
'office2013' => lang('office-2013 theme for ckeditor'),
'minimalist' => lang('Minimalist theme'),
'flat' => lang('Flat theme')
);
$skins = array();
foreach(scandir(EGW_SERVER_ROOT.'/phpgwapi/js/ckeditor/skins') as $skin)
{
if ($skin[0] == '.') continue;
if (isset($labels[$skin]))
{
$skins[$skin] = $labels[$skin];
}
else
{
$skins[$skin] = str_replace('_', '-', $skin).' '.lang('Theme');
}
}
uasort($skins, 'strcasecmp');
// return our default "moono" first
return isset($skins['moono']) ? array('moono' => $skins['moono'])+$skins : $skins;
}
/**
* Get font size from preferences
*
* @param array $prefs =null default $GLOBALS['egw_info']['user']['preferences']
* @param string &$size =null on return just size, without unit
* @param string &$unit =null on return just unit
* @return string font-size including unit
*/
public static function font_size_from_prefs(array $prefs=null, &$size=null, &$unit=null)
{
if (is_null($prefs)) $prefs = $GLOBALS['egw_info']['user']['preferences'];
$size = $prefs['common']['rte_font_size'];
$unit = $prefs['common']['rte_font_unit'];
if (substr($size, -2) == 'px')
{
$unit = 'px';
$size = (string)(int)$size;
}
return $size.($size?$unit:'');
}
/**
* Read language and country settings for the ckeditor and store them in static
* variables
*/
private static function read_lang_country()
{
//use the lang and country information to construct a possible lang info for CKEditor UI and scayt_slang
self::$lang = ($GLOBALS['egw_info']['user']['preferences']['common']['spellchecker_lang'] ?
$GLOBALS['egw_info']['user']['preferences']['common']['spellchecker_lang']:
$GLOBALS['egw_info']['user']['preferences']['common']['lang']);
self::$country = $GLOBALS['egw_info']['user']['preferences']['common']['country'];
if (!(strpos(self::$lang, '-')===false))
list(self::$lang, self::$country) = explode('-', self::$lang);
}
/**
* Returns the current user language
*/
private static function get_lang()
{
if (self::$lang == null || self::$country == null)
self::read_lang_country();
return self::$lang;
}
/**
* Returns the current user country
*/
private static function get_country()
{
if (self::$lang == null || self::$country == null)
self::read_lang_country();
return strtoupper(self::$country);
}
/**
* Returns the ckeditor basepath
*/
private static function get_base_path()
{
//Get the ckeditor base url
return $GLOBALS['egw_info']['server']['webserver_url'].'/phpgwapi/js/ckeditor/';
}
/**
* Returns the ckeditor enter mode which defaults to "BR"
*/
private static function get_enter_mode()
{
if (self::$enterMode == null)
{
//Get the input name
$enterMode = 2;
if (isset($GLOBALS['egw_info']['user']['preferences']['common']['rte_enter_mode']))
{
switch ($GLOBALS['egw_info']['user']['preferences']['common']['rte_enter_mode'])
{
case 'p':
$enterMode = 1;
break;
case 'br':
$enterMode = 2;
break;
case 'div':
$enterMode = 3;
break;
}
}
self::$enterMode = $enterMode;
}
return self::$enterMode;
}
/**
* Returns the skin the ckeditor should use
*/
private static function get_skin()
{
if (self::$skin == null)
{
//Get the skin name
$skin = $GLOBALS['egw_info']['user']['preferences']['common']['rte_skin'];
//error_log(__METHOD__.__LINE__.' UserAgent:'.html::$user_agent);
//Convert old fckeditor skin names to new ones
switch ($skin)
{
case 'kama':
$skin = "kama";
//if (html::$user_agent=='firefox' || html::$user_agent=='msie') $skin='moonocolor';
break;
case 'silver':
case 'moono-dark':
$skin = "moono-dark";
break;
case 'icy_orange':
$skin = "icy_orange";
break;
case 'bootstrapck': // no longer support by egw
case 'Moono_blue':
case 'office2013':
case 'office2003':
case 'moonocolor':
$skin = "moonocolor";
break;
case 'minimalist':
$skin = "minimalist";
break;
case 'flat':
$skin = "flat";
break;
case 'moono':
case 'default':
default:
$skin = "moono";
}
//Check whether the skin actually exists, if not, switch to a default
if (!file_exists(EGW_SERVER_ROOT.'/phpgwapi/js/ckeditor/skins/'.$skin))
{
$skin = "moono"; //this is the basic skin for ckeditor
}
self::$skin = $skin;
}
return self::$skin;
}
/**
* Returns the URL of the filebrowser
*
* @param string $start_path start path for file browser
*/
private static function get_filebrowserBrowseUrl($start_path = '')
{
return $GLOBALS['egw_info']['server']['webserver_url'].'/index.php?menuaction=filemanager.filemanager_select.select&mode=open&method=ckeditor_return'
.($start_path != '' ? '&path='.$start_path : '');
}
/**
* Adds all "easy to write" options to the configuration
*
* @param array& $config array were config get's added to
* @param int|string $height integer height in pixel or string with css unit
* @param boolean|string $expanded_toolbar show toolbar expanded, boolean value, string "false", or string casted to boolean
* @param string $start_path start path for file browser
*/
private static function add_default_options(&$config, $height, $expanded_toolbar, $start_path)
{
//Convert the pixel height to an integer value
$config['resize_enabled'] = false;
$config['height'] = is_numeric($height) ? (int)$height : $height;
//disable encoding as entities needs to set the config value to false, as the default is true with the current ckeditor version
$config['entities'] = false;
$config['entities_latin'] = false;
$config['editingBlock'] = true;
$config['disableNativeSpellChecker'] = true;
// we set allowedContent to true as the 4.1 contentFiltering system allows only activated features as content
$config['allowedContent'] = true;
$config['removePlugins'] = 'elementspath';
$config['toolbarCanCollapse'] = true;
$config['toolbarStartupExpanded'] = is_bool($expanded_toolbar) ? $expanded_toolbar :
($expanded_toolbar === 'false' ? false : (boolean)$expanded_toolbar);
$config['filebrowserBrowseUrl'] = self::get_filebrowserBrowseUrl($start_path);
$config['filebrowserWindowHeight'] = 640;
$config['filebrowserWindowWidth'] = 580;
$config['language'] = self::get_lang();
$config['enterMode'] = self::get_enter_mode();
$config['skin'] = self::get_skin();
$config['fontSize_sizes'] = '';
$unit = $GLOBALS['egw_info']['user']['preferences']['common']['rte_font_unit'];
if (empty($unit)) $unit = 'px';
foreach(self::$font_size_options as $k => $v)
{
$config['fontSize_sizes'] .= $v.$unit.'/'.$k.$unit.';';
}
}
/**
* Adds the spellchecker configuration to the options and writes the name of
* the spellchecker toolbar button to the "spellchecker_button" parameter
*/
private static function add_spellchecker_options(&$config, &$spellchecker_button, &$scayt_button)
{
//error_log(__METHOD__.__LINE__.' Spellcheck:'.$GLOBALS['egw_info']['server']['enabled_spellcheck']);
if (isset($GLOBALS['egw_info']['server']['enabled_spellcheck']) && $GLOBALS['egw_info']['server']['enabled_spellcheck'])
{
// enable browsers native spellchecker as default, if e.g.: aspell fails
// to use browsers native spellchecker, you have to hold CMD/CTRL button on rightclick to
// access the browsers spell correction options
if ($GLOBALS['egw_info']['server']['enabled_spellcheck']!='YesNoSCAYT') $config['disableNativeSpellChecker'] = false;
if (!empty($GLOBALS['egw_info']['server']['aspell_path']) &&
is_executable($GLOBALS['egw_info']['server']['aspell_path']) &&
($GLOBALS['egw_info']['server']['enabled_spellcheck']!='YesUseWebSpellCheck' &&
$GLOBALS['egw_info']['server']['enabled_spellcheck']!='YesBrowserBased')
)
{
$spellchecker_button = 'SpellCheck';
self::append_extraPlugins_config_array($config, array("aspell"));
}
if ($GLOBALS['egw_info']['server']['enabled_spellcheck']!='YesNoSCAYT' &&
$GLOBALS['egw_info']['server']['enabled_spellcheck']!='YesBrowserBased'
)
{
$scayt_button='Scayt';
$config['scayt_autoStartup'] = true;
$config['scayt_sLang'] = self::get_lang().'_'.self::get_country();
$config['disableNativeSpellChecker'] = true; // only one spell as you type
}
}
else
{
$config['scayt_autoStartup'] = false;
}
}
/**
* Writes the toolbar configuration to the options which depends on the chosen
* mode and the spellchecker_button written by the add_spellchecker_options button
*/
private static function add_toolbar_options(&$config, $mode, $spellchecker_button, $scayt_button=false)
{
$config['toolbar'] = array();
switch ($mode)
{
case 'advanced':
$config['toolbar'][] = array('name' => 'document', 'items' => array('Source','DocProps','-','Preview','-','Templates'));
$config['toolbar'][] = array('name' => 'clipboard', 'items' => array('Cut','Copy','Paste','PasteText','PasteFromWord','-','Print'));
if ($spellchecker_button||$scayt_button)
{
$configArray = array();
if ($spellchecker_button) $configArray[] = $spellchecker_button;
if ($scayt_button) $configArray[] = $scayt_button;
$config['toolbar'][] = array('name' => 'tools', 'items' => $configArray);
}
$config['toolbar'][] = array('name' => 'edit', 'items' => array('Undo','Redo','-','Find','Replace','-','SelectAll','RemoveFormat'));
$config['toolbar'][] = '/';
$config['toolbar'][] = array('name' => 'basicstyles', 'items' => array('Bold','Italic','Underline','Strike','-','Subscript','Superscript'));
$config['toolbar'][] = array('name' => 'justify', 'items' => array('JustifyLeft','JustifyCenter','JustifyRight','JustifyBlock'));
$config['toolbar'][] = array('name' => 'paragraph', 'items' => array('BulletedList','NumberedList','-','Outdent','Indent'));
$config['toolbar'][] = array('name' => 'links', 'items' => array('Link','Unlink','Anchor'));
$config['toolbar'][] = array('name' => 'insert', 'items' => array('Maximize','Image','Table','HorizontalRule','SpecialChar'/*,'Smiley'*/));
$config['toolbar'][] = '/';
$config['toolbar'][] = array('name' => 'styles', 'items' => array('Style','Format','Font','FontSize'));
$config['toolbar'][] = array('name' => 'colors', 'items' => array('TextColor','BGColor'));
$config['toolbar'][] = array('name' => 'tools', 'items' => array('ShowBlocks','-','About'));
break;
case 'extended': default:
$config['toolbar'][] = array('name' => 'clipboard', 'items' => array('Bold','Italic','Underline'));
$config['toolbar'][] = array('name' => 'justify', 'items' => array('JustifyLeft','JustifyCenter','JustifyRight','JustifyBlock'));
$config['toolbar'][] = array('name' => 'paragraph', 'items' => array('BulletedList','NumberedList'/*,'Smiley'*/,'Outdent','Indent','Undo','Redo'));
$config['toolbar'][] = array('name' => 'clipboard', 'items' => array('Cut','Copy','Paste','PasteText','PasteFromWord','-','Print'));
if ($mode == 'extended')
{
$config['toolbar'][] = array('name' => 'insert', 'items' => array('Image','Link','Unlink','Anchor'));
if ($spellchecker_button||$scayt_button)
{
$configArray = array('Maximize');
if ($spellchecker_button) $configArray[] = $spellchecker_button;
if ($scayt_button) $configArray[] = $scayt_button;
$config['toolbar'][] = array('name' => 'tools', 'items' => $configArray);
}
else
$config['toolbar'][] = array('name' => 'insert', 'items' => array('Maximize'));//, 'Image', 'Table');
$config['toolbar'][count($config['toolbar']) - 1][] = array('name' => 'insert', 'items' => array('Image', 'Table'));
}
else
{
if ($spellchecker_button||$scayt_button)
{
$configArray = array('Maximize');
if ($spellchecker_button) $configArray[] = $spellchecker_button;
if ($scayt_button) $configArray[] = $scayt_button;
$config['toolbar'][] = array('name' => 'tools', 'items' => $configArray);
}
else
$config['toolbar'][] = array('name' => 'tools', 'items' => array('Maximize'));
}
$config['toolbar'][] = '/';
$config['toolbar'][] = array('name' => 'edit', 'items' => array('Find','Replace','-','SelectAll','RemoveFormat'));
if ($mode == 'simple-withimage') $config['toolbar'][] = array('name' => 'links', 'items' => array('Image','Link','Unlink'));
$config['toolbar'][] = array('name' => 'styles', 'items' => array('Format','Font','FontSize'));
$config['toolbar'][] = array('name' => 'colors', 'items' => array('TextColor','BGColor'));
$config['toolbar'][] = array('name' => 'tools', 'items' => array('ShowBlocks','-','About'));
}
}
/**
* @see get_ckeditor_config
*/
public static function get_ckeditor_config_array($mode = '', $height = 400, $expanded_toolbar = true, $start_path = '')
{
// set for CK-Editor necessary CSP script-src attributes
self::set_csp_script_src_attrs();
// If not explicitly set, use preference for toolbar mode
if(!$mode || trim($mode) == '') $mode = $GLOBALS['egw_info']['user']['preferences']['common']['rte_features'];
$config = array();
$spellchecker_button = null;
self::add_default_options($config, $height, $expanded_toolbar, $start_path);
$scayt_button = null;
self::add_spellchecker_options($config, $spellchecker_button, $scayt_button);
self::add_toolbar_options($config, $mode, $spellchecker_button, $scayt_button);
//error_log(__METHOD__."('$mode', $height, ".array2string($expanded_toolbar).") returning ".array2string($config));
// Add extra plugins
self::append_extraPlugins_config_array($config, array('uploadimage','uploadwidget','widget','notification','notificationaggregator','lineutils'));
return $config;
}
/**
* Adds extra
* @param array $config
* @param array $plugins plugins name which needs to be appended into extraPlugins
*/
public static function append_extraPlugins_config_array (&$config, $plugins)
{
if (is_array($plugins))
{
foreach ($plugins as &$plugin)
{
if (!empty($config['extraPlugins']) && $config['extraPlugins'] !== '')
{
$config['extraPlugins'] .= ',' . $plugin;
}
else
{
$config['extraPlugins'] = $plugin;
}
}
}
}
/**
* Returns a json encoded string containing the configuration for the ckeditor.
* @param string $mode specifies the count of toolbar buttons available to the user. Possible
* values are 'simple', 'extended' and 'advanced'. All other values will default to 'simple'
* @param integer $height contains the height of the ckeditor in pixels
* @param boolean $expanded_toolbar specifies whether the ckeditor should start with an expanded toolbar or not
* @param string $start_path specifies
*/
public static function get_ckeditor_config($mode = '', $height = 400, $expanded_toolbar = true, $start_path = '')
{
return json_encode(self::get_ckeditor_config_array($mode, $height, $expanded_toolbar, $start_path));
}
/**
* URL webspellchecker uses for scripts and style-sheets
*/
const WEBSPELLCHECK_HOST = 'svc.webspellchecker.net';
/**
* Set for CK-Editor necessary CSP script-src attributes
*
* Get's called automatic from get_ckeditor_config(_array)
*/
public static function set_csp_script_src_attrs()
{
$attrs = array('unsafe-eval', 'unsafe-inline');
$url = ($_SERVER['HTTPS'] ? 'https://' : 'http://').self::WEBSPELLCHECK_HOST;
// if webspellchecker is enabled in EGroupware config, allow access to it's url
if (in_array($GLOBALS['egw_info']['server']['enabled_spellcheck'], array('True', 'YesUseWebSpellCheck')))
{
$attrs[] = $url;
ContentSecurityPolicy::add('style-src', $url);
}
//error_log(__METHOD__."() egw_info[server][enabled_spellcheck]='{$GLOBALS['egw_info']['server']['enabled_spellcheck']}' --> attrs=".array2string($attrs));
// tell framework CK Editor needs eval and inline javascript :(
ContentSecurityPolicy::add('script-src', $attrs);
}
}

501
phpgwapi/inc/class.egw_ckeditor_config.inc.php
View File

@ -11,504 +11,9 @@
* @version $Id$
*/
use EGroupware\Api;
/**
* CK-Editor configuration
*/
class egw_ckeditor_config
{
private static $lang = null;
private static $country = null;
private static $enterMode = null;
private static $skin = null;
// Defaults, defined in phpgwapi/js/ckeditor/plugins/font/plugin.js
public static $font_options = array(
'arial, helvetica, sans-serif' => 'Arial',
'Comic Sans MS, cursive' => 'Comic Sans MS',
'Courier New, Courier, monospace' => 'Courier New',
'Georgia, serif' => 'Georgia',
'Lucida Sans Unicode, Lucida Grande, sans-serif' => 'Lucida Sans Unicode',
'Tahoma, Geneva, sans-serif' => 'Tahoma',
'times new roman, times, serif' => 'Times New Roman',
'Trebuchet MS, Helvetica, sans-serif' => 'Trebuchet MS',
'Verdana, Geneva, sans-serif' => 'Verdana'
);
public static $font_size_options = array(
8 => '8',
9 => '9',
10 => '10',
11 => '11',
12 => '12',
14 => '14',
16 => '16',
18 => '18',
20 => '20',
22 => '22',
24 => '24',
26 => '26',
28 => '28',
36 => '36',
48 => '48',
72 => '72',
);
public static $font_unit_options = array(
'pt' => 'pt: points (1/72 inch)',
'px' => 'px: display pixels',
);
/**
* Get available CKEditor Skins
*
* Only return skins existing in filesystem, as we disable / remove them if not compatible with supported browsers.
*
* @return array skin => label pairs alphabetical sorted with default moono first
*/
public static function getAvailableCKEditorSkins()
{
$labels = array(
'kama' => lang('kama theme'),
'moono' => lang('moono theme (default)'),
'moonocolor' => lang('moono color theme'),
'moono-dark' => lang('dark moono theme'),
'Moono_blue' => lang('blue moono theme'),
'bootstrapck' => lang('bootstrap theme for ckeditor'),
'icy_orange' => lang('icy-orange theme for ckeditor'),
'office2013' => lang('office-2013 theme for ckeditor'),
'minimalist' => lang('Minimalist theme'),
'flat' => lang('Flat theme')
);
$skins = array();
foreach(scandir(EGW_SERVER_ROOT.'/phpgwapi/js/ckeditor/skins') as $skin)
{
if ($skin[0] == '.') continue;
if (isset($labels[$skin]))
{
$skins[$skin] = $labels[$skin];
}
else
{
$skins[$skin] = str_replace('_', '-', $skin).' '.lang('Theme');
}
}
uasort($skins, 'strcasecmp');
// return our default "moono" first
return isset($skins['moono']) ? array('moono' => $skins['moono'])+$skins : $skins;
}
/**
* Get font size from preferences
*
* @param array $prefs =null default $GLOBALS['egw_info']['user']['preferences']
* @param string &$size =null on return just size, without unit
* @param string &$unit =null on return just unit
* @return string font-size including unit
*/
public static function font_size_from_prefs(array $prefs=null, &$size=null, &$unit=null)
{
if (is_null($prefs)) $prefs = $GLOBALS['egw_info']['user']['preferences'];
$size = $prefs['common']['rte_font_size'];
$unit = $prefs['common']['rte_font_unit'];
if (substr($size, -2) == 'px')
{
$unit = 'px';
$size = (string)(int)$size;
}
return $size.($size?$unit:'');
}
/**
* Read language and country settings for the ckeditor and store them in static
* variables
*/
private static function read_lang_country()
{
//use the lang and country information to construct a possible lang info for CKEditor UI and scayt_slang
self::$lang = ($GLOBALS['egw_info']['user']['preferences']['common']['spellchecker_lang'] ?
$GLOBALS['egw_info']['user']['preferences']['common']['spellchecker_lang']:
$GLOBALS['egw_info']['user']['preferences']['common']['lang']);
self::$country = $GLOBALS['egw_info']['user']['preferences']['common']['country'];
if (!(strpos(self::$lang, '-')===false))
list(self::$lang, self::$country) = explode('-', self::$lang);
}
/**
* Returns the current user language
*/
private static function get_lang()
{
if (self::$lang == null || self::$country == null)
self::read_lang_country();
return self::$lang;
}
/**
* Returns the current user country
*/
private static function get_country()
{
if (self::$lang == null || self::$country == null)
self::read_lang_country();
return strtoupper(self::$country);
}
/**
* Returns the ckeditor basepath
*/
private static function get_base_path()
{
//Get the ckeditor base url
return $GLOBALS['egw_info']['server']['webserver_url'].'/phpgwapi/js/ckeditor/';
}
/**
* Returns the ckeditor enter mode which defaults to "BR"
*/
private static function get_enter_mode()
{
if (self::$enterMode == null)
{
//Get the input name
$enterMode = 2;
if (isset($GLOBALS['egw_info']['user']['preferences']['common']['rte_enter_mode']))
{
switch ($GLOBALS['egw_info']['user']['preferences']['common']['rte_enter_mode'])
{
case 'p':
$enterMode = 1;
break;
case 'br':
$enterMode = 2;
break;
case 'div':
$enterMode = 3;
break;
}
}
self::$enterMode = $enterMode;
}
return self::$enterMode;
}
/**
* Returns the skin the ckeditor should use
*/
private static function get_skin()
{
if (self::$skin == null)
{
//Get the skin name
$skin = $GLOBALS['egw_info']['user']['preferences']['common']['rte_skin'];
//error_log(__METHOD__.__LINE__.' UserAgent:'.html::$user_agent);
//Convert old fckeditor skin names to new ones
switch ($skin)
{
case 'kama':
$skin = "kama";
//if (html::$user_agent=='firefox' || html::$user_agent=='msie') $skin='moonocolor';
break;
case 'silver':
case 'moono-dark':
$skin = "moono-dark";
break;
case 'icy_orange':
$skin = "icy_orange";
break;
case 'bootstrapck': // no longer support by egw
case 'Moono_blue':
case 'office2013':
case 'office2003':
case 'moonocolor':
$skin = "moonocolor";
break;
case 'minimalist':
$skin = "minimalist";
break;
case 'flat':
$skin = "flat";
break;
case 'moono':
case 'default':
default:
$skin = "moono";
}
//Check whether the skin actually exists, if not, switch to a default
if (!file_exists(EGW_SERVER_ROOT.'/phpgwapi/js/ckeditor/skins/'.$skin))
{
$skin = "moono"; //this is the basic skin for ckeditor
}
self::$skin = $skin;
}
return self::$skin;
}
/**
* Returns the URL of the filebrowser
*
* @param string $start_path start path for file browser
*/
private static function get_filebrowserBrowseUrl($start_path = '')
{
return $GLOBALS['egw_info']['server']['webserver_url'].'/index.php?menuaction=filemanager.filemanager_select.select&mode=open&method=ckeditor_return'
.($start_path != '' ? '&path='.$start_path : '');
}
/**
* Adds all "easy to write" options to the configuration
*
* @param array& $config array were config get's added to
* @param int|string $height integer height in pixel or string with css unit
* @param boolean|string $expanded_toolbar show toolbar expanded, boolean value, string "false", or string casted to boolean
* @param string $start_path start path for file browser
*/
private static function add_default_options(&$config, $height, $expanded_toolbar, $start_path)
{
//Convert the pixel height to an integer value
$config['resize_enabled'] = false;
$config['height'] = is_numeric($height) ? (int)$height : $height;
//disable encoding as entities needs to set the config value to false, as the default is true with the current ckeditor version
$config['entities'] = false;
$config['entities_latin'] = false;
$config['editingBlock'] = true;
$config['disableNativeSpellChecker'] = true;
// we set allowedContent to true as the 4.1 contentFiltering system allows only activated features as content
$config['allowedContent'] = true;
$config['removePlugins'] = 'elementspath';
$config['toolbarCanCollapse'] = true;
$config['toolbarStartupExpanded'] = is_bool($expanded_toolbar) ? $expanded_toolbar :
($expanded_toolbar === 'false' ? false : (boolean)$expanded_toolbar);
$config['filebrowserBrowseUrl'] = self::get_filebrowserBrowseUrl($start_path);
$config['filebrowserWindowHeight'] = 640;
$config['filebrowserWindowWidth'] = 580;
$config['language'] = self::get_lang();
$config['enterMode'] = self::get_enter_mode();
$config['skin'] = self::get_skin();
$config['fontSize_sizes'] = '';
$unit = $GLOBALS['egw_info']['user']['preferences']['common']['rte_font_unit'];
if (empty($unit)) $unit = 'px';
foreach(self::$font_size_options as $k => $v)
{
$config['fontSize_sizes'] .= $v.$unit.'/'.$k.$unit.';';
}
}
/**
* Adds the spellchecker configuration to the options and writes the name of
* the spellchecker toolbar button to the "spellchecker_button" parameter
*/
private static function add_spellchecker_options(&$config, &$spellchecker_button, &$scayt_button)
{
//error_log(__METHOD__.__LINE__.' Spellcheck:'.$GLOBALS['egw_info']['server']['enabled_spellcheck']);
if (isset($GLOBALS['egw_info']['server']['enabled_spellcheck']) && $GLOBALS['egw_info']['server']['enabled_spellcheck'])
{
// enable browsers native spellchecker as default, if e.g.: aspell fails
// to use browsers native spellchecker, you have to hold CMD/CTRL button on rightclick to
// access the browsers spell correction options
if ($GLOBALS['egw_info']['server']['enabled_spellcheck']!='YesNoSCAYT') $config['disableNativeSpellChecker'] = false;
if (!empty($GLOBALS['egw_info']['server']['aspell_path']) &&
is_executable($GLOBALS['egw_info']['server']['aspell_path']) &&
($GLOBALS['egw_info']['server']['enabled_spellcheck']!='YesUseWebSpellCheck' &&
$GLOBALS['egw_info']['server']['enabled_spellcheck']!='YesBrowserBased')
)
{
$spellchecker_button = 'SpellCheck';
self::append_extraPlugins_config_array($config, array("aspell"));
}
if ($GLOBALS['egw_info']['server']['enabled_spellcheck']!='YesNoSCAYT' &&
$GLOBALS['egw_info']['server']['enabled_spellcheck']!='YesBrowserBased'
)
{
$scayt_button='Scayt';
$config['scayt_autoStartup'] = true;
$config['scayt_sLang'] = self::get_lang().'_'.self::get_country();
$config['disableNativeSpellChecker'] = true; // only one spell as you type
}
}
else
{
$config['scayt_autoStartup'] = false;
}
}
/**
* Writes the toolbar configuration to the options which depends on the chosen
* mode and the spellchecker_button written by the add_spellchecker_options button
*/
private static function add_toolbar_options(&$config, $mode, $spellchecker_button, $scayt_button=false)
{
$config['toolbar'] = array();
switch ($mode)
{
case 'advanced':
$config['toolbar'][] = array('name' => 'document', 'items' => array('Source','DocProps','-','Preview','-','Templates'));
$config['toolbar'][] = array('name' => 'clipboard', 'items' => array('Cut','Copy','Paste','PasteText','PasteFromWord','-','Print'));
if ($spellchecker_button||$scayt_button)
{
$configArray = array();
if ($spellchecker_button) $configArray[] = $spellchecker_button;
if ($scayt_button) $configArray[] = $scayt_button;
$config['toolbar'][] = array('name' => 'tools', 'items' => $configArray);
}
$config['toolbar'][] = array('name' => 'edit', 'items' => array('Undo','Redo','-','Find','Replace','-','SelectAll','RemoveFormat'));
$config['toolbar'][] = '/';
$config['toolbar'][] = array('name' => 'basicstyles', 'items' => array('Bold','Italic','Underline','Strike','-','Subscript','Superscript'));
$config['toolbar'][] = array('name' => 'justify', 'items' => array('JustifyLeft','JustifyCenter','JustifyRight','JustifyBlock'));
$config['toolbar'][] = array('name' => 'paragraph', 'items' => array('BulletedList','NumberedList','-','Outdent','Indent'));
$config['toolbar'][] = array('name' => 'links', 'items' => array('Link','Unlink','Anchor'));
$config['toolbar'][] = array('name' => 'insert', 'items' => array('Maximize','Image','Table','HorizontalRule','SpecialChar'/*,'Smiley'*/));
$config['toolbar'][] = '/';
$config['toolbar'][] = array('name' => 'styles', 'items' => array('Style','Format','Font','FontSize'));
$config['toolbar'][] = array('name' => 'colors', 'items' => array('TextColor','BGColor'));
$config['toolbar'][] = array('name' => 'tools', 'items' => array('ShowBlocks','-','About'));
break;
case 'extended': default:
$config['toolbar'][] = array('name' => 'clipboard', 'items' => array('Bold','Italic','Underline'));
$config['toolbar'][] = array('name' => 'justify', 'items' => array('JustifyLeft','JustifyCenter','JustifyRight','JustifyBlock'));
$config['toolbar'][] = array('name' => 'paragraph', 'items' => array('BulletedList','NumberedList'/*,'Smiley'*/,'Outdent','Indent','Undo','Redo'));
$config['toolbar'][] = array('name' => 'clipboard', 'items' => array('Cut','Copy','Paste','PasteText','PasteFromWord','-','Print'));
if ($mode == 'extended')
{
$config['toolbar'][] = array('name' => 'insert', 'items' => array('Image','Link','Unlink','Anchor'));
if ($spellchecker_button||$scayt_button)
{
$configArray = array('Maximize');
if ($spellchecker_button) $configArray[] = $spellchecker_button;
if ($scayt_button) $configArray[] = $scayt_button;
$config['toolbar'][] = array('name' => 'tools', 'items' => $configArray);
}
else
$config['toolbar'][] = array('name' => 'insert', 'items' => array('Maximize'));//, 'Image', 'Table');
$config['toolbar'][count($config['toolbar']) - 1][] = array('name' => 'insert', 'items' => array('Image', 'Table'));
}
else
{
if ($spellchecker_button||$scayt_button)
{
$configArray = array('Maximize');
if ($spellchecker_button) $configArray[] = $spellchecker_button;
if ($scayt_button) $configArray[] = $scayt_button;
$config['toolbar'][] = array('name' => 'tools', 'items' => $configArray);
}
else
$config['toolbar'][] = array('name' => 'tools', 'items' => array('Maximize'));
}
$config['toolbar'][] = '/';
$config['toolbar'][] = array('name' => 'edit', 'items' => array('Find','Replace','-','SelectAll','RemoveFormat'));
if ($mode == 'simple-withimage') $config['toolbar'][] = array('name' => 'links', 'items' => array('Image','Link','Unlink'));
$config['toolbar'][] = array('name' => 'styles', 'items' => array('Format','Font','FontSize'));
$config['toolbar'][] = array('name' => 'colors', 'items' => array('TextColor','BGColor'));
$config['toolbar'][] = array('name' => 'tools', 'items' => array('ShowBlocks','-','About'));
}
}
/**
* @see get_ckeditor_config
*/
public static function get_ckeditor_config_array($mode = '', $height = 400, $expanded_toolbar = true, $start_path = '')
{
// set for CK-Editor necessary CSP script-src attributes
self::set_csp_script_src_attrs();
// If not explicitly set, use preference for toolbar mode
if(!$mode || trim($mode) == '') $mode = $GLOBALS['egw_info']['user']['preferences']['common']['rte_features'];
$config = array();
$spellchecker_button = null;
self::add_default_options($config, $height, $expanded_toolbar, $start_path);
$scayt_button = null;
self::add_spellchecker_options($config, $spellchecker_button, $scayt_button);
self::add_toolbar_options($config, $mode, $spellchecker_button, $scayt_button);
//error_log(__METHOD__."('$mode', $height, ".array2string($expanded_toolbar).") returning ".array2string($config));
// Add extra plugins
self::append_extraPlugins_config_array($config, array('uploadimage','uploadwidget','widget','notification','notificationaggregator','lineutils'));
return $config;
}
/**
* Adds extra
* @param array $config
* @param array $plugins plugins name which needs to be appended into extraPlugins
*/
public static function append_extraPlugins_config_array (&$config, $plugins)
{
if (is_array($plugins))
{
foreach ($plugins as &$plugin)
{
if (!empty($config['extraPlugins']) && $config['extraPlugins'] !== '')
{
$config['extraPlugins'] .= ',' . $plugin;
}
else
{
$config['extraPlugins'] = $plugin;
}
}
}
}
/**
* Returns a json encoded string containing the configuration for the ckeditor.
* @param string $mode specifies the count of toolbar buttons available to the user. Possible
* values are 'simple', 'extended' and 'advanced'. All other values will default to 'simple'
* @param integer $height contains the height of the ckeditor in pixels
* @param boolean $expanded_toolbar specifies whether the ckeditor should start with an expanded toolbar or not
* @param string $start_path specifies
*/
public static function get_ckeditor_config($mode = '', $height = 400, $expanded_toolbar = true, $start_path = '')
{
return json_encode(self::get_ckeditor_config_array($mode, $height, $expanded_toolbar, $start_path));
}
/**
* URL webspellchecker uses for scripts and style-sheets
*/
const WEBSPELLCHECK_HOST = 'svc.webspellchecker.net';
/**
* Set for CK-Editor necessary CSP script-src attributes
*
* Get's called automatic from get_ckeditor_config(_array)
*/
public static function set_csp_script_src_attrs()
{
$attrs = array('unsafe-eval', 'unsafe-inline');
$url = ($_SERVER['HTTPS'] ? 'https://' : 'http://').self::WEBSPELLCHECK_HOST;
// if webspellchecker is enabled in EGroupware config, allow access to it's url
if (in_array($GLOBALS['egw_info']['server']['enabled_spellcheck'], array('True', 'YesUseWebSpellCheck')))
{
$attrs[] = $url;
egw_framework::csp_style_src_attrs($url);
}
//error_log(__METHOD__."() egw_info[server][enabled_spellcheck]='{$GLOBALS['egw_info']['server']['enabled_spellcheck']}' --> attrs=".array2string($attrs));
// tell framework CK Editor needs eval and inline javascript :(
egw_framework::csp_script_src_attrs($attrs);
}
}
class egw_ckeditor_config extends Api\Html\CkEditorConfig{}

131
phpgwapi/inc/class.egw_framework.inc.php
View File

@ -12,6 +12,8 @@
* @version $Id$
*/
use EGroupware\Api;
/**
* eGW API - framework: virtual base class for all template sets
*
@ -127,15 +129,6 @@ abstract class egw_framework
return new $class($GLOBALS['egw_info']['server']['template_set']);
}
/**
* Additional attributes or urls for CSP script-src 'self'
*
* 'unsafe-eval' is currently allways added, as it is used in a couple of places.
*
* @var array
*/
private static $csp_script_src_attrs = array("'unsafe-eval'");
/**
* Set/get Content-Security-Policy attributes for script-src: 'unsafe-eval' and/or 'unsafe-inline'
*
@ -145,132 +138,49 @@ abstract class egw_framework
*
* EGroupware itself currently still requires 'unsafe-eval'!
*
* @param string|array $set =array() 'unsafe-eval' and/or 'unsafe-inline' (without quotes!) or URL (incl. protocol!)
* @return string with attributes eg. "'unsafe-eval' 'unsafe-inline'"
* @param string|array $set =null 'unsafe-eval' and/or 'unsafe-inline' (without quotes!) or URL (incl. protocol!)
* @deprecated use Api\Header\ContentSecurityPolicy::add('script-src', $set);
*/
public static function csp_script_src_attrs($set=null)
{
foreach((array)$set as $attr)
{
if (in_array($attr, array('none', 'self', 'unsafe-eval', 'unsafe-inline')))
{
$attr = "'$attr'"; // automatic add quotes
}
if (!in_array($attr, self::$csp_script_src_attrs))
{
self::$csp_script_src_attrs[] = $attr;
//error_log(__METHOD__."() setting CSP script-src $attr ".function_backtrace());
}
}
//error_log(__METHOD__."(".array2string($set).") returned ".array2string(implode(' ', self::$csp_script_src_attrs)).' '.function_backtrace());
return implode(' ', self::$csp_script_src_attrs);
Api\Header\ContentSecurityPolicy::add('script-src', $set);
}
/**
* Additional attributes or urls for CSP style-src 'self'
*
* 'unsafe-inline' is currently allways added, as it is used in a couple of places.
*
* @var array
*/
private static $csp_style_src_attrs = array("'unsafe-inline'");
/**
* Set/get Content-Security-Policy attributes for style-src: 'unsafe-inline'
*
* EGroupware itself currently still requires 'unsafe-inline'!
*
* @param string|array $set =array() 'unsafe-inline' (without quotes!) and/or URL (incl. protocol!)
* @return string with attributes eg. "'unsafe-inline'"
* @param string|array $set =null 'unsafe-inline' (without quotes!) and/or URL (incl. protocol!)
* @deprecated use Api\Header\ContentSecurityPolicy::add('style-src', $set);
*/
public static function csp_style_src_attrs($set=null)
{
foreach((array)$set as $attr)
{
if (in_array($attr, array('none', 'self', 'unsafe-inline')))
{
$attr = "'$attr'"; // automatic add quotes
}
if (!in_array($attr, self::$csp_style_src_attrs))
{
self::$csp_style_src_attrs[] = $attr;
//error_log(__METHOD__."() setting CSP script-src $attr ".function_backtrace());
}
}
//error_log(__METHOD__."(".array2string($set).") returned ".array2string(implode(' ', self::$csp_script_src_attrs)).' '.function_backtrace());
return implode(' ', self::$csp_style_src_attrs);
Api\Header\ContentSecurityPolicy::add('style-src', $set);
}
/**
* Additional attributes or urls for CSP connect-src 'self'
*
* @var array
*/
private static $csp_connect_src_attrs = array();
/**
* Set/get Content-Security-Policy attributes for connect-src:
*
* @param string|array $set =array() URL (incl. protocol!)
* @return string with attributes eg. "'unsafe-inline'"
* @deprecated use Api\Header\ContentSecurityPolicy::add('connect-src', $set);
*/
public static function csp_connect_src_attrs($set=null)
{
foreach((array)$set as $attr)
{
if (!in_array($attr, self::$csp_connect_src_attrs))
{
self::$csp_connect_src_attrs[] = $attr;
//error_log(__METHOD__."() setting CSP script-src $attr ".function_backtrace());
}
}
//error_log(__METHOD__."(".array2string($set).") returned ".array2string(implode(' ', self::$csp_connect_src_attrs)).' '.function_backtrace());
return implode(' ', self::$csp_connect_src_attrs);
Api\Header\ContentSecurityPolicy::add('connect-src', $set);
}
/**
* Additional attributes or urls for CSP frame-src 'self'
*
* @var array
*/
private static $csp_frame_src_attrs;
/**
* Set/get Content-Security-Policy attributes for frame-src:
*
* Calling this method with an empty array sets no frame-src, but "'self'"!
*
* @param string|array $set =array() URL (incl. protocol!)
* @return string with attributes eg. "'unsafe-inline'"
* @param string|array $set =null URL (incl. protocol!)
* @deprecated use Api\Header\ContentSecurityPolicy::add('frame-src', $set);
*/
public static function csp_frame_src_attrs($set=null)
{
// set frame-src attrs of API and apps via hook
if (!isset(self::$csp_frame_src_attrs) && !isset($set))
{
$frame_src = array('manual.egroupware.org', 'www.egroupware.org');
if (($app_additional = $GLOBALS['egw']->hooks->process('csp-frame-src')))
{
foreach($app_additional as $addtional)
{
if ($addtional) $frame_src = array_unique(array_merge($frame_src, $addtional));
}
}
return self::csp_frame_src_attrs($frame_src);
}
if (!isset(self::$csp_frame_src_attrs)) self::$csp_frame_src_attrs = array();
foreach((array)$set as $attr)
{
if (!in_array($attr, self::$csp_frame_src_attrs))
{
self::$csp_frame_src_attrs[] = $attr;
//error_log(__METHOD__."() setting CSP script-src $attr ".function_backtrace());
}
}
//error_log(__METHOD__."(".array2string($set).") returned ".array2string(implode(' ', self::$csp_frame_src_attrs)).' '.function_backtrace());
return implode(' ', self::$csp_frame_src_attrs);
Api\Header\ContentSecurityPolicy::add('frame-src', $set);
}
/**
@ -281,20 +191,7 @@ abstract class egw_framework
// add a content-type header to overwrite an existing default charset in apache (AddDefaultCharset directiv)
header('Content-type: text/html; charset='.translation::charset());
// content-security-policy header:
// - "script-src 'self' 'unsafe-eval'" allows only self and eval (eg. ckeditor), but forbids inline scripts, onchange, etc
// - "connect-src 'self'" allows ajax requests only to self
// - "style-src 'self' 'unsave-inline'" allows only self and inline style, which we need
// - "frame-src 'self' manual.egroupware.org" allows frame and iframe content only for self or manual.egroupware.org
$csp = "script-src 'self' ".self::csp_script_src_attrs().
"; connect-src 'self' ".self::csp_connect_src_attrs().
"; style-src 'self' ".self::csp_style_src_attrs().
"; frame-src 'self' ".self::csp_frame_src_attrs();
//$csp = "default-src * 'unsafe-eval' 'unsafe-inline'"; // allow everything
header("Content-Security-Policy: $csp");
header("X-Webkit-CSP: $csp"); // Chrome: <= 24, Safari incl. iOS
header("X-Content-Security-Policy: $csp"); // FF <= 22
Api\Header\ContentSecurityPolicy::send();
// allow client-side to detect first load aka just logged in
$reload_count =& egw_cache::getSession(__CLASS__, 'framework-reload');