* Spellchecker: marking "browser based" (default for new installs) and "No" as safer and fixing CSP policy for web-spell-checker

This commit is contained in:
Ralf Becker 2014-09-04 09:59:17 +00:00
parent 1f214243bb
commit aca5c7948e
4 changed files with 56 additions and 20 deletions

View File

@ -92,10 +92,10 @@
<td>{lang_Enable_spellcheck_in_rich_text_editor}:</td>
<td>
<select name="newsettings[enabled_spellcheck]">
<option value="">{lang_No}</option>
<option value="">{lang_No} - {lang_more_secure}</option>
<option value="True"{selected_enabled_spellcheck_True}>{lang_Yes}</option>
<option value="YesNoSCAYT"{selected_enabled_spellcheck_YesNoSCAYT}>{lang_Yes,_but_no_SCAYT}</option>
<option value="YesBrowserBased"{selected_enabled_spellcheck_YesBrowserBased}>{lang_Yes,_use_browser_based_spell_checking_engine}</option>
<option value="YesBrowserBased"{selected_enabled_spellcheck_YesBrowserBased}>{lang_Yes,_use_browser_based_spell_checking_engine} - {lang_more_secure}</option>
<option value="YesUseWebSpellCheck"{selected_enabled_spellcheck_YesUseWebSpellCheck}>{lang_Yes,_use_WebSpellChecker}</option>
</select>
</td>
@ -266,15 +266,6 @@
</tr>
-->
<tr class="row_off">
<td>{lang_Enable_the_soap_service} {lang_(default_No,_leave_it_off_if_you_dont_use_it)}:</td>
<td>
<select name="newsettings[soap_enabled]">
<option value="">{lang_No}</option>
<option value="True"{selected_soap_enabled_True}>{lang_Yes}</option>
</select>
</td>
</tr>
<tr class="row_on">
<td>{lang_How_many_entries_should_non-admins_be_able_to_export_(empty_=_no_limit,_no_=_no_export)}:<br />{lang_This_controls_exports_and_merging.}</td>
<td><input name="newsettings[export_limit]" value="{value_export_limit}" size="5"></td>

View File

@ -422,6 +422,11 @@ class egw_ckeditor_config
return json_encode(self::get_ckeditor_config_array($mode, $height, $expanded_toolbar, $start_path));
}
/**
* URL webspellchecker uses for scripts and style-sheets
*/
const WEBSPELLCHECK_HOST = 'svc.webspellchecker.net';
/**
* Set for CK-Editor necessary CSP script-src attributes
*
@ -430,11 +435,14 @@ class egw_ckeditor_config
public static function set_csp_script_src_attrs()
{
$attrs = array('unsafe-eval', 'unsafe-inline');
$url = ($_SERVER['HTTPS'] ? 'https://' : 'http://').self::WEBSPELLCHECK_HOST;
// if webspellchecker is enabled in EGroupware config, allow access to it's url
if (in_array($GLOBALS['egw_info']['server']['enabled_spellcheck'], array('True', 'YesUseWebSpellCheck')))
{
$attrs[] = 'https://svc.webspellchecker.net';
$attrs[] = $url;
egw_framework::csp_style_src_attrs($url);
}
//error_log(__METHOD__."() egw_info[server][enabled_spellcheck]='{$GLOBALS['egw_info']['server']['enabled_spellcheck']}' --> attrs=".array2string($attrs));
// tell framework CK Editor needs eval and inline javascript :(

View File

@ -101,7 +101,7 @@ abstract class egw_framework
*
* EGroupware itself currently still requires 'unsafe-eval'!
*
* @param string|array $set=array() 'unsafe-eval' and/or 'unsafe-inline' (without quotes!)
* @param string|array $set =array() 'unsafe-eval' and/or 'unsafe-inline' (without quotes!) or URL (incl. protocol!)
* @return string with attributes eg. "'unsafe-eval' 'unsafe-inline'"
*/
public static function csp_script_src_attrs($set=null)
@ -122,6 +122,41 @@ abstract class egw_framework
return implode(' ', self::$csp_script_src_attrs);
}
/**
* Additional attributes or urls for CSP style-src 'self'
*
* 'unsafe-inline' is currently allways added, as it is used in a couple of places.
*
* @var array
*/
private static $csp_style_src_attrs = array("'unsafe-inline'");
/**
* Set/get Content-Security-Policy attributes for style-src: 'unsafe-inline'
*
* EGroupware itself currently still requires 'unsafe-inline'!
*
* @param string|array $set =array() 'unsafe-inline' (without quotes!) and/or URL (incl. protocol!)
* @return string with attributes eg. "'unsafe-inline'"
*/
public static function csp_style_src_attrs($set=null)
{
foreach((array)$set as $attr)
{
if (in_array($attr, array('none', 'self', 'unsafe-inline')))
{
$attr = "'$attr'"; // automatic add quotes
}
if (!in_array($attr, self::$csp_style_src_attrs))
{
self::$csp_style_src_attrs[] = $attr;
//error_log(__METHOD__."() setting CSP script-src $attr ".function_backtrace());
}
}
//error_log(__METHOD__."(".array2string($set).") returned ".array2string(implode(' ', self::$csp_script_src_attrs)).' '.function_backtrace());
return implode(' ', self::$csp_style_src_attrs);
}
/**
* Query additional CSP frame-src from current app
*
@ -146,11 +181,13 @@ abstract class egw_framework
// - "style-src 'self' 'unsave-inline'" allows only self and inline style, which we need
// - "frame-src 'self' manual.egroupware.org" allows frame and iframe content only for self or manual.egroupware.org
$frame_src = array("'self'", 'manual.egroupware.org');
if (($additional = $this->_get_csp_frame_src())) $frame_src = array_merge($frame_src, $additional);
if (($additional = $this->_get_csp_frame_src())) $frame_src = array_unique(array_merge($frame_src, $additional));
$csp = "script-src 'self' ".self::csp_script_src_attrs().
"; connect-src 'self'".
"; style-src 'self' ".self::csp_style_src_attrs().
"; frame-src ".implode(' ', $frame_src);
$csp = "script-src 'self' ".($script_attrs=self::csp_script_src_attrs()).
"; connect-src 'self'; style-src 'self' 'unsafe-inline'; frame-src ".implode(' ', $frame_src);
//error_log(__METHOD__."() script_attrs=$script_attrs");
//$csp = "default-src * 'unsafe-eval' 'unsafe-inline'"; // allow everything
header("Content-Security-Policy: $csp");
header("X-Webkit-CSP: $csp"); // Chrome: <= 24, Safari incl. iOS

View File

@ -240,8 +240,8 @@ class setup_process
{
unset($current_config['aspell_path']);
}
// always enable spellchecker, ckeditor now uses spell-as-you-type via a public webservice
$current_config['enabled_spellcheck'] = 'True';
// always enable browser based spellchecker
$current_config['enabled_spellcheck'] = 'YesBrowserBased';
// always enable history logging for calendar, addressbook and infolog
$current_config['history'] = 'history'; // addressbook: only admin