YunoHost-Apps/nextcloud_ynh
1
0
Fork 0
mirror of https://github.com/YunoHost-Apps/nextcloud_ynh.git synced 2024-09-03 19:55:57 +02:00
Code Issues Activity Actions

Disable CSPv3 nonces and allow YunoHost fonts data

Browse source 
Problems:
- Due to some unknown problem in the interaction between SSOwat and Nextcloud server authentication, CSP nonces are wrong when you log into Nextcloud from YunoHost portal for the first time (systematically reproduced in a browser private session). The Nextcloud page is hence almost totally blank and you have to refresh the page or click on the Nextcloud logo.
- Due to CSP protection, the YunoHost tile (inline Javascript) is blocked

Solution:
While it's not a totally satisfying solution, a somewhat acceptable workaround to these two problems is to:
- block CSP v3 features (hence nonces), but still allowing CSP v2 features
- allow for "data:" font sources (needed to load YunoHost tile fonts)

This is done via patching Nextcloud sources:
- `ContentSecurityPolicyNonceManager`: disable the CSPv3 browser compatibility detection (return false in every case)
- `EmptyContentSecurityPolicy`: add the "data:" argument in `font-src` default CSP rule.
This commit is contained in:
Jimmy Monin 2017-08-07 22:00:27 +02:00
parent cb3ce17086
commit 041a0ee18d
1 changed files with 33 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

33
patches/01-disable-CSPv3-nonce_and_allow-YNH-fonts.patch Normal file
View file

@ -0,0 +1,33 @@
lib/private/Security/CSP/ContentSecurityPolicyNonceManager.php | 4 ++++
lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php | 3 ++-
2 files changed, 6 insertions(+), 1 deletion(-)
diff --git a/lib/private/Security/CSP/ContentSecurityPolicyNonceManager.php b/lib/private/Security/CSP/ContentSecurityPolicyNonceManager.php
index 85ae127f5f..91618a09fc 100644
--- a/lib/private/Security/CSP/ContentSecurityPolicyNonceManager.php
+++ b/lib/private/Security/CSP/ContentSecurityPolicyNonceManager.php
@@ -65,6 +65,10 @@ class ContentSecurityPolicyNonceManager {
* @return bool
*/
public function browserSupportsCspV3() {
+ // YunoHost patch: disable CSPv3 nonces to:
+ // - avoid white page on first login from YunoHost portal
+ // - allow YunoHost tile display
+ return false;
$browserWhitelist = [
Request::USER_AGENT_CHROME,
// Firefox 45+
diff --git a/lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php b/lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php
index 64d4eb6e5d..59d5885620 100644
--- a/lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php
+++ b/lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php
@@ -377,7 +377,8 @@ class EmptyContentSecurityPolicy {
if(!empty($this->allowedFontDomains)) {
$policy .= 'font-src ' . implode(' ', $this->allowedFontDomains);
- $policy .= ';';
+ // YunoHost patch: extend font-src to load data fonts embedded in YunoHost tile script
+ $policy .= ' data:;';
}
if(!empty($this->allowedConnectDomains)) {