Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add CSP nonce to CSS as well #16580

Closed
wants to merge 4 commits into from
Closed

Add CSP nonce to CSS as well #16580

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
5a78ca4
Extend nonce usage in CSP to CSS as well
rullzer Jul 27, 2019
37edbd0
Add proper nonce to stylesheet responses
rullzer Jul 27, 2019
286aeff
First try to get the login nonce set properly
rullzer Jul 27, 2019
c829bdb
Add wrappers to allow CSS nonce to be properly used
rullzer Jul 27, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
3 changes: 2 additions & 1 deletion apps/theming/appinfo/app.php
View file
Open in desktop
Expand Up @@ -39,6 +39,7 @@
[
'rel' => 'stylesheet',
'href' => $linkToCSS,
'nonce' => \OC::$server->getContentSecurityPolicyNonceManager()->getNonce(),
]
);

Expand All @@ -54,4 +55,4 @@
'src' => $linkToJs,
'nonce' => \OC::$server->getContentSecurityPolicyNonceManager()->getNonce()
], ''
);
);
8 changes: 4 additions & 4 deletions core/js/dist/login.js
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion core/js/dist/login.js.map
View file
Open in desktop

Large diffs are not rendered by default.

20 changes: 10 additions & 10 deletions core/js/dist/main.js
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion core/js/dist/main.js.map
View file
Open in desktop

Large diffs are not rendered by default.

4 changes: 2 additions & 2 deletions core/js/dist/maintenance.js
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion core/js/dist/maintenance.js.map
View file
Open in desktop

Large diffs are not rendered by default.

64 changes: 2 additions & 62 deletions core/src/login.js
View file
Open in desktop
@@ -1,63 +1,3 @@
/*
* @copyright 2019 Christoph Wurst <christoph@winzerhof-wurst.at>
*
* @author 2019 Christoph Wurst <christoph@winzerhof-wurst.at>
*
* @license GNU AGPL version 3 or any later version
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as
* published by the Free Software Foundation, either version 3 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
__webpack_nonce__ = btoa(OC.requestToken)
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@juliushaertl @skjnldsv I assumed this was enough as we use it in other places as well... but it seems not...

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

webpack-contrib/style-loader#306 ?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

webpack-contrib/style-loader#319

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok got it. it is because of the import reshuffling.... so the nonce gets set to late

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Stupid wrapping seems to be the easy fix...

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

import OC from './OC/index' ?


import Vue from 'vue';
import queryString from 'query-string';

import OC from './OC/index'; // TODO: Not needed but L10n breaks if removed
import LoginView from './views/Login.vue';
import Nextcloud from './mixins/Nextcloud';

const query = queryString.parse(location.search);
if (query.clear === '1') {
try {
window.localStorage.clear();
window.sessionStorage.clear();
console.debug('Browser storage cleared');
} catch (e) {
console.error('Could not clear browser storage', e);
}
}

Vue.mixin(Nextcloud);

const fromStateOr = (key, orValue) => {
try {
return OCP.InitialState.loadState('core', key)
} catch (e) {
return orValue
}
}

const View = Vue.extend(LoginView);
new View({
propsData: {
errors: fromStateOr('loginErrors', []),
messages: fromStateOr('loginMessages', []),
redirectUrl: fromStateOr('loginRedirectUrl', undefined),
username: fromStateOr('loginUsername', ''),
throttleDelay: fromStateOr('loginThrottleDelay', 0),
invertedColors: OCA.Theming && OCA.Theming.inverted,
canResetPassword: fromStateOr('loginCanResetPassword', false),
resetPasswordLink: fromStateOr('loginResetPasswordLink', ''),
autoCompleteAllowed: fromStateOr('loginAutocomplete', true),
}
}).$mount('#login');
require('./loginReal')
63 changes: 63 additions & 0 deletions core/src/loginReal.js
View file
Open in desktop
@@ -0,0 +1,63 @@
/*
* @copyright 2019 Christoph Wurst <christoph@winzerhof-wurst.at>
*
* @author 2019 Christoph Wurst <christoph@winzerhof-wurst.at>
*
* @license GNU AGPL version 3 or any later version
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as
* published by the Free Software Foundation, either version 3 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*/

import Vue from 'vue';
import queryString from 'query-string';

import OC from './OC/index'; // TODO: Not needed but L10n breaks if removed
import LoginView from './views/Login.vue';
import Nextcloud from './mixins/Nextcloud';

const query = queryString.parse(location.search);
if (query.clear === '1') {
try {
window.localStorage.clear();
window.sessionStorage.clear();
console.debug('Browser storage cleared');
} catch (e) {
console.error('Could not clear browser storage', e);
}
}

Vue.mixin(Nextcloud);

const fromStateOr = (key, orValue) => {
try {
return OCP.InitialState.loadState('core', key)
} catch (e) {
return orValue
}
}

const View = Vue.extend(LoginView);
new View({
propsData: {
errors: fromStateOr('loginErrors', []),
messages: fromStateOr('loginMessages', []),
redirectUrl: fromStateOr('loginRedirectUrl', undefined),
username: fromStateOr('loginUsername', ''),
throttleDelay: fromStateOr('loginThrottleDelay', 0),
invertedColors: OCA.Theming && OCA.Theming.inverted,
canResetPassword: fromStateOr('loginCanResetPassword', false),
resetPasswordLink: fromStateOr('loginResetPasswordLink', ''),
autoCompleteAllowed: fromStateOr('loginAutocomplete', true),
}
}).$mount('#login');