ahtlon/deck
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 1 Wiki Activity

Always set self/blob csp when displaying attachments

Browse Source 
Signed-off-by: Julius Härtl <jus@bitgrid.net>
This commit is contained in:
Julius Härtl
2020-04-21 12:29:35 +02:00
parent 00d2278513
commit 76a1cc0618
2 changed files with 17 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
lib/Service/FileService.php
View File

@@ -236,14 +236,15 @@ class FileService implements IAttachmentService {
} else { } else {
$response = new FileDisplayResponse($file); $response = new FileDisplayResponse($file);
} }
if ($file->getMimeType() === 'application/pdf') { // We need those since otherwise chrome won't show the PDF file with CSP rule object-src 'none'
// We need those since otherwise chrome won't show the PDF file with CSP rule object-src 'none' // https://bugs.chromium.org/p/chromium/issues/detail?id=271452
// https://bugs.chromium.org/p/chromium/issues/detail?id=271452 $policy = new ContentSecurityPolicy();
$policy = new ContentSecurityPolicy(); $policy->addAllowedObjectDomain('\'self\'');
$policy->addAllowedObjectDomain('\'self\''); $policy->addAllowedObjectDomain('blob:');
$policy->addAllowedObjectDomain('blob:'); $policy->addAllowedMediaDomain('\'self\'');
$response->setContentSecurityPolicy($policy); $policy->addAllowedMediaDomain('blob:');
} $response->setContentSecurityPolicy($policy);
$response->addHeader('Content-Type', $file->getMimeType()); $response->addHeader('Content-Type', $file->getMimeType());
return $response; return $response;
} }

9
tests/unit/Service/FileServiceTest.php
View File

@@ -272,7 +272,12 @@ class FileServiceTest extends TestCase {
$expected = new StreamResponse('fileresource'); $expected = new StreamResponse('fileresource');
$expected->addHeader('Content-Type', 'image/jpeg'); $expected->addHeader('Content-Type', 'image/jpeg');
$expected->addHeader('Content-Disposition', 'inline; filename="' . rawurldecode($file->getName()) . '"'); $expected->addHeader('Content-Disposition', 'inline; filename="' . rawurldecode($file->getName()) . '"');
$policy = new ContentSecurityPolicy();
$policy->addAllowedObjectDomain('\'self\'');
$policy->addAllowedObjectDomain('blob:');
$policy->addAllowedMediaDomain('\'self\'');
$policy->addAllowedMediaDomain('blob:');
$expected->setContentSecurityPolicy($policy);
$this->assertEquals($expected, $actual); $this->assertEquals($expected, $actual);
} }
@@ -305,6 +310,8 @@ class FileServiceTest extends TestCase {
$policy = new ContentSecurityPolicy(); $policy = new ContentSecurityPolicy();
$policy->addAllowedObjectDomain('\'self\''); $policy->addAllowedObjectDomain('\'self\'');
$policy->addAllowedObjectDomain('blob:'); $policy->addAllowedObjectDomain('blob:');
$policy->addAllowedMediaDomain('\'self\'');
$policy->addAllowedMediaDomain('blob:');
$expected->setContentSecurityPolicy($policy); $expected->setContentSecurityPolicy($policy);
$this->assertEquals($expected, $actual); $this->assertEquals($expected, $actual);
} }