From a8c7146f968cd014c8e4c64501771d8978049bf4 Mon Sep 17 00:00:00 2001 From: the-djmaze <> Date: Sat, 25 Feb 2023 00:07:11 +0100 Subject: [PATCH] Resolve #991 --- .../nextcloud/snappymail/lib/ContentSecurityPolicy.php | 8 ++++---- snappymail/v/0.0.0/app/libraries/snappymail/http/csp.php | 7 +++++++ 2 files changed, 11 insertions(+), 4 deletions(-) diff --git a/integrations/nextcloud/snappymail/lib/ContentSecurityPolicy.php b/integrations/nextcloud/snappymail/lib/ContentSecurityPolicy.php index b0b0ca201..27a9c44d1 100644 --- a/integrations/nextcloud/snappymail/lib/ContentSecurityPolicy.php +++ b/integrations/nextcloud/snappymail/lib/ContentSecurityPolicy.php @@ -16,7 +16,7 @@ class ContentSecurityPolicy extends \OCP\AppFramework\Http\ContentSecurityPolicy function __construct() { $CSP = \RainLoop\Api::getCSP(); - $this->allowedScriptDomains = \array_unique(\array_merge($this->allowedScriptDomains, $CSP->script)); + $this->allowedScriptDomains = \array_unique(\array_merge($this->allowedScriptDomains, $CSP->get('script-src'))); $this->allowedScriptDomains = \array_diff($this->allowedScriptDomains, ["'unsafe-inline'", "'unsafe-eval'"]); // Nextcloud only sets 'strict-dynamic' when browserSupportsCspV3() ? @@ -24,12 +24,12 @@ class ContentSecurityPolicy extends \OCP\AppFramework\Http\ContentSecurityPolicy ? $this->useStrictDynamic(true) // NC24+ : $this->addAllowedScriptDomain("'strict-dynamic'"); - $this->allowedImageDomains = \array_unique(\array_merge($this->allowedImageDomains, $CSP->img)); + $this->allowedImageDomains = \array_unique(\array_merge($this->allowedImageDomains, $CSP->get('img-src'))); - $this->allowedStyleDomains = \array_unique(\array_merge($this->allowedStyleDomains, $CSP->style)); + $this->allowedStyleDomains = \array_unique(\array_merge($this->allowedStyleDomains, $CSP->get('style-src'))); $this->allowedStyleDomains = \array_diff($this->allowedStyleDomains, ["'unsafe-inline'"]); - $this->allowedFrameDomains = \array_unique(\array_merge($this->allowedFrameDomains, $CSP->frame)); + $this->allowedFrameDomains = \array_unique(\array_merge($this->allowedFrameDomains, $CSP->get('frame-src'))); $this->reportTo = \array_unique(\array_merge($this->reportTo, $CSP->report_to)); } diff --git a/snappymail/v/0.0.0/app/libraries/snappymail/http/csp.php b/snappymail/v/0.0.0/app/libraries/snappymail/http/csp.php index 5f49b1101..3d6502943 100644 --- a/snappymail/v/0.0.0/app/libraries/snappymail/http/csp.php +++ b/snappymail/v/0.0.0/app/libraries/snappymail/http/csp.php @@ -64,6 +64,13 @@ class CSP $this->directives[$directive][] = $source; } + public function get(string $directive) : array + { + return isset($this->directives[$directive]) + ? $this->directives[$directive] + : []; + } + public function setHeaders() : void { if ($this->report_only) {