From a94e08d875b003707a6ccf6bd28872fb99e8edb0 Mon Sep 17 00:00:00 2001 From: Benedikt Kulmann Date: Mon, 9 Sep 2024 06:46:14 +0200 Subject: [PATCH 1/3] feat: allow blob as connect-src --- deployments/examples/ocis_full/config/ocis/csp.yaml | 1 + deployments/examples/ocis_keycloak/config/ocis/csp.yaml | 1 + services/proxy/pkg/config/csp.yaml | 1 + 3 files changed, 3 insertions(+) diff --git a/deployments/examples/ocis_full/config/ocis/csp.yaml b/deployments/examples/ocis_full/config/ocis/csp.yaml index d8615b85a6..fb46082e7d 100644 --- a/deployments/examples/ocis_full/config/ocis/csp.yaml +++ b/deployments/examples/ocis_full/config/ocis/csp.yaml @@ -3,6 +3,7 @@ directives: - '''self''' connect-src: - '''self''' + - 'blob:' - 'https://${COMPANION_DOMAIN|companion.owncloud.test}/' - 'wss://${COMPANION_DOMAIN|companion.owncloud.test}/' - 'https://raw.githubusercontent.com/owncloud/awesome-ocis/' diff --git a/deployments/examples/ocis_keycloak/config/ocis/csp.yaml b/deployments/examples/ocis_keycloak/config/ocis/csp.yaml index 2ba7ee2445..bdd0f60572 100644 --- a/deployments/examples/ocis_keycloak/config/ocis/csp.yaml +++ b/deployments/examples/ocis_keycloak/config/ocis/csp.yaml @@ -3,6 +3,7 @@ directives: - '''self''' connect-src: - '''self''' + - 'blob:' - 'https://raw.githubusercontent.com/owncloud/awesome-ocis/' # In contrary to bash and docker the default is given after the | character - 'https://${KEYCLOAK_DOMAIN|keycloak.owncloud.test}/' diff --git a/services/proxy/pkg/config/csp.yaml b/services/proxy/pkg/config/csp.yaml index 58cd0645fe..7542867caa 100644 --- a/services/proxy/pkg/config/csp.yaml +++ b/services/proxy/pkg/config/csp.yaml @@ -3,6 +3,7 @@ directives: - '''self''' connect-src: - '''self''' + - 'blob:' - 'https://raw.githubusercontent.com/owncloud/awesome-ocis/' default-src: - '''none''' From 2f1343922dff575ceb0fca2faf85b17ea7f773a5 Mon Sep 17 00:00:00 2001 From: Benedikt Kulmann Date: Mon, 9 Sep 2024 06:49:13 +0200 Subject: [PATCH 2/3] feat: allow blob as connect-src in default CSP --- changelog/unreleased/blob-as-connect-src.md | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 changelog/unreleased/blob-as-connect-src.md diff --git a/changelog/unreleased/blob-as-connect-src.md b/changelog/unreleased/blob-as-connect-src.md new file mode 100644 index 0000000000..6fefcbf4da --- /dev/null +++ b/changelog/unreleased/blob-as-connect-src.md @@ -0,0 +1,5 @@ +Enhancement: Allow blob as connect-src in default CSP + +We added 'blob:' to the default connect-src items in the default CSP rules. + +https://github.com/owncloud/ocis/pull/9993 From b09fda0b2d6ed82b09c1b7bbb9da4cbd96b42dea Mon Sep 17 00:00:00 2001 From: Viktor Scharf Date: Mon, 9 Sep 2024 07:56:03 +0200 Subject: [PATCH 3/3] fix tests --- .../features/coreApiWebdavOperations/downloadFile.feature | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/acceptance/features/coreApiWebdavOperations/downloadFile.feature b/tests/acceptance/features/coreApiWebdavOperations/downloadFile.feature index 11b5e1bdde..7e7c3f058c 100644 --- a/tests/acceptance/features/coreApiWebdavOperations/downloadFile.feature +++ b/tests/acceptance/features/coreApiWebdavOperations/downloadFile.feature @@ -219,7 +219,7 @@ Feature: download file And the following headers should be set | header | value | | Content-Disposition | attachment; filename*=UTF-8''; filename="" | - | Content-Security-Policy | child-src 'self'; connect-src 'self' https://raw.githubusercontent.com/owncloud/awesome-ocis/; default-src 'none'; font-src 'self'; frame-ancestors 'self'; frame-src 'self' blob: https://embed.diagrams.net/; img-src 'self' data: blob: https://raw.githubusercontent.com/owncloud/awesome-ocis/; manifest-src 'self'; media-src 'self'; object-src 'self' blob:; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline' | + | Content-Security-Policy | child-src 'self'; connect-src 'self' blob: https://raw.githubusercontent.com/owncloud/awesome-ocis/; default-src 'none'; font-src 'self'; frame-ancestors 'self'; frame-src 'self' blob: https://embed.diagrams.net/; img-src 'self' data: blob: https://raw.githubusercontent.com/owncloud/awesome-ocis/; manifest-src 'self'; media-src 'self'; object-src 'self' blob:; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline' | | X-Content-Type-Options | nosniff | | X-Frame-Options | SAMEORIGIN | | X-Permitted-Cross-Domain-Policies | none | @@ -247,7 +247,7 @@ Feature: download file And the following headers should be set | header | value | | Content-Disposition | attachment; filename*=UTF-8''%22quote%22double%22.txt; filename=""quote"double".txt" | - | Content-Security-Policy | child-src 'self'; connect-src 'self' https://raw.githubusercontent.com/owncloud/awesome-ocis/; default-src 'none'; font-src 'self'; frame-ancestors 'self'; frame-src 'self' blob: https://embed.diagrams.net/; img-src 'self' data: blob: https://raw.githubusercontent.com/owncloud/awesome-ocis/; manifest-src 'self'; media-src 'self'; object-src 'self' blob:; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline' | + | Content-Security-Policy | child-src 'self'; connect-src 'self' blob: https://raw.githubusercontent.com/owncloud/awesome-ocis/; default-src 'none'; font-src 'self'; frame-ancestors 'self'; frame-src 'self' blob: https://embed.diagrams.net/; img-src 'self' data: blob: https://raw.githubusercontent.com/owncloud/awesome-ocis/; manifest-src 'self'; media-src 'self'; object-src 'self' blob:; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline' | | X-Content-Type-Options | nosniff | | X-Frame-Options | SAMEORIGIN | | X-Permitted-Cross-Domain-Policies | none |