From 03bd1d527230342f7317285c2f658704d973bbc0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20M=C3=BCller?= <1005065+DeepDiver1975@users.noreply.github.com> Date: Tue, 4 Jun 2024 14:29:21 +0200 Subject: [PATCH] fix: CSP frame-src to enable PDF viewing (#9313) --- changelog/unreleased/csp.md | 1 + deployments/examples/ocis_keycloak/config/ocis/csp.yaml | 1 + services/proxy/pkg/config/csp.yaml | 1 + .../features/coreApiWebdavOperations/downloadFile.feature | 4 ++-- .../features/apiWebdavOperations/downloadFile.feature | 2 +- 5 files changed, 6 insertions(+), 3 deletions(-) diff --git a/changelog/unreleased/csp.md b/changelog/unreleased/csp.md index 936e1a6bb4..9e7fd68085 100644 --- a/changelog/unreleased/csp.md +++ b/changelog/unreleased/csp.md @@ -5,4 +5,5 @@ General hardening of oCIS https://github.com/owncloud/ocis/pull/8777 https://github.com/owncloud/ocis/pull/9025 https://github.com/owncloud/ocis/pull/9167 +https://github.com/owncloud/ocis/pull/9313 diff --git a/deployments/examples/ocis_keycloak/config/ocis/csp.yaml b/deployments/examples/ocis_keycloak/config/ocis/csp.yaml index 0f960cf343..ac417f923e 100644 --- a/deployments/examples/ocis_keycloak/config/ocis/csp.yaml +++ b/deployments/examples/ocis_keycloak/config/ocis/csp.yaml @@ -13,6 +13,7 @@ directives: - '''none''' frame-src: - '''self''' + - 'blob:' - 'https://embed.diagrams.net/' img-src: - '''self''' diff --git a/services/proxy/pkg/config/csp.yaml b/services/proxy/pkg/config/csp.yaml index af398461d0..6eab1f860d 100644 --- a/services/proxy/pkg/config/csp.yaml +++ b/services/proxy/pkg/config/csp.yaml @@ -11,6 +11,7 @@ directives: - '''self''' frame-src: - '''self''' + - 'blob:' - 'https://embed.diagrams.net/' img-src: - '''self''' diff --git a/tests/acceptance/features/coreApiWebdavOperations/downloadFile.feature b/tests/acceptance/features/coreApiWebdavOperations/downloadFile.feature index 540dcd6977..4fcc3c5665 100644 --- a/tests/acceptance/features/coreApiWebdavOperations/downloadFile.feature +++ b/tests/acceptance/features/coreApiWebdavOperations/downloadFile.feature @@ -271,7 +271,7 @@ Feature: download file And the following headers should be set | header | value | | Content-Disposition | attachment; filename*=UTF-8''""; filename="" | - | Content-Security-Policy | child-src 'self'; connect-src 'self'; default-src 'none'; font-src 'self'; frame-ancestors 'self'; frame-src 'self' https://embed.diagrams.net/; img-src 'self' data: blob:; manifest-src 'self'; media-src 'self'; object-src 'self' blob:; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline' | + | Content-Security-Policy | child-src 'self'; connect-src 'self'; default-src 'none'; font-src 'self'; frame-ancestors 'self'; frame-src 'self' blob: https://embed.diagrams.net/; img-src 'self' data: blob:; manifest-src 'self'; media-src 'self'; object-src 'self' blob:; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline' | | X-Content-Type-Options | nosniff | | X-Download-Options | noopen | | X-Frame-Options | SAMEORIGIN | @@ -300,7 +300,7 @@ Feature: download file And the following headers should be set | header | value | | Content-Disposition | attachment; filename*=UTF-8''""quote"double".txt"; filename=""quote"double".txt" | - | Content-Security-Policy | child-src 'self'; connect-src 'self'; default-src 'none'; font-src 'self'; frame-ancestors 'self'; frame-src 'self' https://embed.diagrams.net/; img-src 'self' data: blob:; manifest-src 'self'; media-src 'self'; object-src 'self' blob:; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline' | + | Content-Security-Policy | child-src 'self'; connect-src 'self'; default-src 'none'; font-src 'self'; frame-ancestors 'self'; frame-src 'self' blob: https://embed.diagrams.net/; img-src 'self' data: blob:; manifest-src 'self'; media-src 'self'; object-src 'self' blob:; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline' | | X-Content-Type-Options | nosniff | | X-Download-Options | noopen | | X-Frame-Options | SAMEORIGIN | diff --git a/tests/parallelDeployAcceptance/features/apiWebdavOperations/downloadFile.feature b/tests/parallelDeployAcceptance/features/apiWebdavOperations/downloadFile.feature index 08b3621f54..d1c01cca7c 100644 --- a/tests/parallelDeployAcceptance/features/apiWebdavOperations/downloadFile.feature +++ b/tests/parallelDeployAcceptance/features/apiWebdavOperations/downloadFile.feature @@ -132,7 +132,7 @@ Feature: download file Then the following headers should be set | header | value | | Content-Disposition | attachment; filename*=UTF-8''textfile.txt; filename="textfile.txt" | - | Content-Security-Policy | child-src 'self'; connect-src 'self'; default-src 'none'; font-src 'self'; frame-ancestors 'self'; frame-src 'self' https://embed.diagrams.net/; img-src 'self' data: blob:; manifest-src 'self'; media-src 'self'; object-src 'self' blob:; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline' | + | Content-Security-Policy | child-src 'self'; connect-src 'self'; default-src 'none'; font-src 'self'; frame-ancestors 'self'; frame-src 'self' blob: https://embed.diagrams.net/; img-src 'self' data: blob:; manifest-src 'self'; media-src 'self'; object-src 'self' blob:; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline' | | X-Content-Type-Options | nosniff | | X-Download-Options | noopen | | X-Frame-Options | SAMEORIGIN |