Skip to content
Snippets Groups Projects
Commit df67a043 authored by Lukas Reschke's avatar Lukas Reschke
Browse files

Move security headers to base.php

Some headers were currently only added to the templates but not to other components (e.g. SabreDAV / JSON / etc...)
The migration to base.php ensures that the headers are served to all requests passing base.php
parent 266325ea
Branches
No related tags found
No related merge requests found
...@@ -213,6 +213,36 @@ class OC { ...@@ -213,6 +213,36 @@ class OC {
} }
} }
/*
* This function adds some security related headers to all requests
* served via base.php
* The implementation of this function as to happen here to ensure that
* all third-party components (e.g. SabreDAV) also benefit from this
* headers
*/
public static function addSecurityHeaders() {
header('X-XSS-Protection: 1; mode=block'); // Enforce browser based XSS filters
header('X-Content-Type-Options: nosniff'); // Disable sniffing the content type for IE
// iFrame Restriction Policy
$xFramePolicy = OC_Config::getValue('xframe_restriction', true);
if($xFramePolicy) {
header('X-Frame-Options: Sameorigin'); // Disallow iFraming from other domains
}
// Content Security Policy
// If you change the standard policy, please also change it in config.sample.php
$policy = OC_Config::getValue('custom_csp_policy',
'default-src \'self\'; '
.'script-src \'self\' \'unsafe-eval\'; '
.'style-src \'self\' \'unsafe-inline\'; '
.'frame-src *; '
.'img-src *; '
.'font-src \'self\' data:; '
.'media-src *');
header('Content-Security-Policy:'.$policy);
}
public static function checkSSL() { public static function checkSSL() {
// redirect to https site if configured // redirect to https site if configured
if (OC_Config::getValue("forcessl", false)) { if (OC_Config::getValue("forcessl", false)) {
...@@ -512,6 +542,7 @@ class OC { ...@@ -512,6 +542,7 @@ class OC {
self::checkConfig(); self::checkConfig();
self::checkInstalled(); self::checkInstalled();
self::checkSSL(); self::checkSSL();
self::addSecurityHeaders();
$errors = OC_Util::checkServer(); $errors = OC_Util::checkServer();
if (count($errors) > 0) { if (count($errors) > 0) {
......
...@@ -64,31 +64,7 @@ class OC_Template extends \OC\Template\Base { ...@@ -64,31 +64,7 @@ class OC_Template extends \OC\Template\Base {
$this->path = $path; $this->path = $path;
parent::__construct($template, $requesttoken, $l10n, $themeDefaults); parent::__construct($template, $requesttoken, $l10n, $themeDefaults);
// Some headers to enhance security
header('X-XSS-Protection: 1; mode=block'); // Enforce browser based XSS filters
header('X-Content-Type-Options: nosniff'); // Disable sniffing the content type for IE
// iFrame Restriction Policy
$xFramePolicy = OC_Config::getValue('xframe_restriction', true);
if($xFramePolicy) {
header('X-Frame-Options: Sameorigin'); // Disallow iFraming from other domains
}
// Content Security Policy
// If you change the standard policy, please also change it in config.sample.php
$policy = OC_Config::getValue('custom_csp_policy',
'default-src \'self\'; '
.'script-src \'self\' \'unsafe-eval\'; '
.'style-src \'self\' \'unsafe-inline\'; '
.'frame-src *; '
.'img-src *; '
.'font-src \'self\' data:; '
.'media-src *');
header('Content-Security-Policy:'.$policy); // Standard
} }
/** /**
* autodetect the formfactor of the used device * autodetect the formfactor of the used device
* default -> the normal desktop browser interface * default -> the normal desktop browser interface
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment