[Pkg-owncloud-commits] [php-sabredav] 156/220: Harden CSP policy
David Prévot
taffit at moszumanska.debian.org
Thu May 12 01:21:21 UTC 2016
This is an automated email from the git hooks/post-receive script.
taffit pushed a commit to branch master
in repository php-sabredav.
commit 72a4c2be1cf74f31570696158efe10cad4616cee
Author: Lukas Reschke <lukas at owncloud.com>
Date: Tue Apr 12 10:49:09 2016 +0200
Harden CSP policy
- Set a default policy to block anything
- Enable fonts
---
lib/DAV/Browser/Plugin.php | 4 ++--
tests/Sabre/DAV/Browser/PluginTest.php | 8 ++++----
2 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/lib/DAV/Browser/Plugin.php b/lib/DAV/Browser/Plugin.php
index 481efef..49359a0 100644
--- a/lib/DAV/Browser/Plugin.php
+++ b/lib/DAV/Browser/Plugin.php
@@ -112,7 +112,7 @@ class Plugin extends DAV\ServerPlugin {
$getVars = $request->getQueryParameters();
// CSP headers
- $this->server->httpResponse->setHeader('Content-Security-Policy', "img-src 'self'; style-src 'self';");
+ $this->server->httpResponse->setHeader('Content-Security-Policy', "default-src 'none'; img-src 'self'; style-src 'self'; font-src 'self';");
$sabreAction = isset($getVars['sabreAction']) ? $getVars['sabreAction'] : null;
@@ -368,7 +368,7 @@ class Plugin extends DAV\ServerPlugin {
$html .= $this->generateFooter();
- $this->server->httpResponse->setHeader('Content-Security-Policy', "img-src 'self'; style-src 'self';");
+ $this->server->httpResponse->setHeader('Content-Security-Policy', "default-src 'none'; img-src 'self'; style-src 'self'; font-src 'self';");
return $html;
diff --git a/tests/Sabre/DAV/Browser/PluginTest.php b/tests/Sabre/DAV/Browser/PluginTest.php
index 61ca0a7..f20c50f 100644
--- a/tests/Sabre/DAV/Browser/PluginTest.php
+++ b/tests/Sabre/DAV/Browser/PluginTest.php
@@ -30,7 +30,7 @@ class PluginTest extends DAV\AbstractServer{
[
'X-Sabre-Version' => [DAV\Version::VERSION],
'Content-Type' => ['text/html; charset=utf-8'],
- 'Content-Security-Policy' => ["img-src 'self'; style-src 'self';"]
+ 'Content-Security-Policy' => ["default-src 'none'; img-src 'self'; style-src 'self'; font-src 'self';"]
],
$this->response->getHeaders()
);
@@ -56,7 +56,7 @@ class PluginTest extends DAV\AbstractServer{
[
'X-Sabre-Version' => [DAV\Version::VERSION],
'Content-Type' => ['text/html; charset=utf-8'],
- 'Content-Security-Policy' => ["img-src 'self'; style-src 'self';"]
+ 'Content-Security-Policy' => ["default-src 'none'; img-src 'self'; style-src 'self'; font-src 'self';"]
],
$this->response->getHeaders()
);
@@ -77,7 +77,7 @@ class PluginTest extends DAV\AbstractServer{
[
'X-Sabre-Version' => [DAV\Version::VERSION],
'Content-Type' => ['text/html; charset=utf-8'],
- 'Content-Security-Policy' => ["img-src 'self'; style-src 'self';"]
+ 'Content-Security-Policy' => ["default-src 'none'; img-src 'self'; style-src 'self'; font-src 'self';"]
],
$this->response->getHeaders()
);
@@ -159,7 +159,7 @@ class PluginTest extends DAV\AbstractServer{
'Content-Type' => ['image/vnd.microsoft.icon'],
'Content-Length' => ['4286'],
'Cache-Control' => ['public, max-age=1209600'],
- 'Content-Security-Policy' => ["img-src 'self'; style-src 'self';"]
+ 'Content-Security-Policy' => ["default-src 'none'; img-src 'self'; style-src 'self'; font-src 'self';"]
], $this->response->getHeaders());
}
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-php/php-sabredav.git
More information about the Pkg-owncloud-commits
mailing list