Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add CSP nonce to CSS as well #16580

Closed
wants to merge 4 commits into from
Closed

Add CSP nonce to CSS as well #16580

Show file tree
Hide file tree
Changes from 3 commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
5a78ca4
Extend nonce usage in CSP to CSS as well
rullzer Jul 27, 2019
37edbd0
Add proper nonce to stylesheet responses
rullzer Jul 27, 2019
286aeff
First try to get the login nonce set properly
rullzer Jul 27, 2019
c829bdb
Add wrappers to allow CSS nonce to be properly used
rullzer Jul 27, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
3 changes: 2 additions & 1 deletion apps/theming/appinfo/app.php
View file
Open in desktop
Expand Up @@ -39,6 +39,7 @@
[
'rel' => 'stylesheet',
'href' => $linkToCSS,
'nonce' => \OC::$server->getContentSecurityPolicyNonceManager()->getNonce(),
]
);

Expand All @@ -54,4 +55,4 @@
'src' => $linkToJs,
'nonce' => \OC::$server->getContentSecurityPolicyNonceManager()->getNonce()
], ''
);
);
23 changes: 22 additions & 1 deletion core/js/dist/login.js
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion core/js/dist/login.js.map
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 2 additions & 0 deletions core/src/login.js
View file
Open in desktop
Expand Up @@ -22,6 +22,8 @@
import Vue from 'vue';
import queryString from 'query-string';

__webpack_nonce__ = btoa(OC.requestToken)
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@juliushaertl @skjnldsv I assumed this was enough as we use it in other places as well... but it seems not...

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

webpack-contrib/style-loader#306 ?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

webpack-contrib/style-loader#319

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok got it. it is because of the import reshuffling.... so the nonce gets set to late

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Stupid wrapping seems to be the easy fix...

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

import OC from './OC/index' ?


import OC from './OC/index'; // TODO: Not needed but L10n breaks if removed
import LoginView from './views/Login.vue';
import Nextcloud from './mixins/Nextcloud';
Expand Down
9 changes: 8 additions & 1 deletion lib/private/Template/IconsCacher.php
View file
Open in desktop
Expand Up @@ -257,7 +257,14 @@ public function injectCss() {
}
}
$linkToCSS = $this->urlGenerator->linkToRoute('core.Css.getCss', ['appName' => 'icons', 'fileName' => $this->fileName, 'v' => $mtime]);
\OC_Util::addHeader('link', ['rel' => 'stylesheet', 'href' => $linkToCSS], null, true);
\OC_Util::addHeader('link',
[
'rel' => 'stylesheet',
'href' => $linkToCSS,
'nonce' => \OC::$server->getContentSecurityPolicyNonceManager()->getNonce(),
],
null,
true);
}

}
2 changes: 1 addition & 1 deletion lib/private/legacy/template/functions.php
View file
Open in desktop
Expand Up @@ -46,7 +46,7 @@ function p($string) {
* @param string $opts, additional optional options
*/
function emit_css_tag($href, $opts = '') {
$s='<link rel="stylesheet"';
$s='<link rel="stylesheet" nonce="' . \OC::$server->getContentSecurityPolicyNonceManager()->getNonce() . '"';
if (!empty($href)) {
$s.=' href="' . $href .'"';
}
Expand Down
9 changes: 9 additions & 0 deletions lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php
View file
Open in desktop
Expand Up @@ -433,6 +433,15 @@ public function buildPolicy() {

if(!empty($this->allowedStyleDomains) || $this->inlineStyleAllowed) {
$policy .= 'style-src ';
if(is_string($this->useJsNonce)) {
$policy .= '\'nonce-'.base64_encode($this->useJsNonce).'\'';
$allowedStyleDomains = array_flip($this->allowedStyleDomains);
unset($allowedStyleDomains['\'self\'']);
$this->allowedStyleDomains = array_flip($allowedStyleDomains);
if(count($allowedStyleDomains) !== 0) {
$policy .= ' ';
}
}
if(is_array($this->allowedStyleDomains)) {
$policy .= implode(' ', $this->allowedStyleDomains);
}
Expand Down