the-djmaze/snappymail
1
1
Fork 0
mirror of https://github.com/the-djmaze/snappymail.git synced 2024-11-10 09:02:45 +08:00
Code Issues Projects Releases Packages Wiki Activity

Bugfix: Nextcloud ContentSecurityPolicy versions issue

Browse source
This commit is contained in:
the-djmaze 2022-11-13 19:41:23 +01:00
parent 01f26451d0
commit 9f1e9f1899
2 changed files with 17 additions and 12 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

20
integrations/nextcloud/snappymail/lib/ContentSecurityPolicy.php
View file

@ -9,7 +9,7 @@ class ContentSecurityPolicy extends \OCP\AppFramework\Http\ContentSecurityPolicy
/** @var bool Whether eval in JS scripts is allowed */
protected $evalScriptAllowed = true;
/** @var bool Whether strict-dynamic should be set */
protected $strictDynamicAllowed = true; // NC24+
// protected $strictDynamicAllowed = true; // NC24+
/** @var bool Whether inline CSS is allowed */
protected $inlineStyleAllowed = true;
@ -21,9 +21,9 @@ class ContentSecurityPolicy extends \OCP\AppFramework\Http\ContentSecurityPolicy
$CSP->script
));
$this->allowedScriptDomains = \array_diff($this->allowedScriptDomains, ["'unsafe-inline'", "'unsafe-eval'"]);
if (\method_exists($this, 'useStrictDynamic')) {
$this->allowedScriptDomains = \array_diff($this->allowedScriptDomains, ["'strict-dynamic'"]);
}
\method_exists($this, 'useStrictDynamic')
? $this->useStrictDynamic(true) // NC24+
: $this->addAllowedScriptDomain("'strict-dynamic'");
$this->allowedImageDomains = \array_unique(\array_merge(
$this->allowedImageDomains,
@ -47,4 +47,16 @@ class ContentSecurityPolicy extends \OCP\AppFramework\Http\ContentSecurityPolicy
));
}
public function getSnappyMailNonce() {
static $sNonce;
if (!$sNonce) {
$cspManager = \OC::$server->getContentSecurityPolicyNonceManager();
$sNonce = $cspManager->getNonce() ?: \SnappyMail\UUID::generate();
if (\method_exists($cspManager, 'browserSupportsCspV3') && !$cspManager->browserSupportsCspV3()) {
$this->addAllowedScriptDomain("'nonce-{$sNonce}'");
}
}
return $sNonce;
}
}

9
integrations/nextcloud/snappymail/lib/Controller/PageController.php
View file

@ -55,15 +55,8 @@ class PageController extends Controller
$sAppCssMin = $oConfig->Get('labs', 'use_app_debug_css', false) ? '' : '.min';
$sLanguage = $oActions->GetLanguage(false);
$cspManager = \OC::$server->getContentSecurityPolicyNonceManager();
$sNonce = $cspManager->getNonce() ?: \SnappyMail\UUID::generate();
$csp = new ContentSecurityPolicy();
if (\method_exists($cspManager, 'browserSupportsCspV3') && !$cspManager->browserSupportsCspV3()) {
$csp->addAllowedScriptDomain("'nonce-{$sNonce}'");
}
\method_exists($csp, 'useStrictDynamic')
? $csp->useStrictDynamic(true) // NC24+
: $csp->addAllowedScriptDomain("'strict-dynamic'");
$sNonce = $csp->getSnappyMailNonce();
$params = [
'Admin' => $bAdmin ? 1 : 0,