New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.

Already on GitHub? Sign in to your account

Move to stricter CSP #11028

Merged
merged 3 commits into from Oct 14, 2018

Conversation

@rullzer
Member

rullzer commented Sep 3, 2018

Do not allow unsafe eval by default.

馃毀

Last merge for https://github.com/orgs/nextcloud/projects/18
This will be rebased several times to validate CSP behavior

TODO:

  • This will kill of OC.AddScript converted by mr @ChristophWurst
    • Need to look into affected apps

@rullzer rullzer added this to the Nextcloud 15 milestone Sep 3, 2018

@rullzer rullzer force-pushed the feature/no_eval_csp branch from efcec80 to d839df2 Sep 3, 2018

@rullzer

This comment has been minimized.

Member

rullzer commented Sep 28, 2018

Next one:

var TEMPLATE_MENU =

@rullzer rullzer force-pushed the feature/no_eval_csp branch from ad7e58b to 7b986d3 Oct 1, 2018

@MorrisJobke MorrisJobke referenced this pull request Oct 3, 2018

Merged

Update strengthify to be able to set a nonce #11592

1 of 1 task complete

@rullzer rullzer force-pushed the feature/no_eval_csp branch from 7b986d3 to c9c8c60 Oct 4, 2018

@rullzer rullzer added 3. to review and removed 2. developing labels Oct 4, 2018

@rullzer

This comment has been minimized.

Member

rullzer commented Oct 4, 2018

So I think this is good to get in.

Other stuff we should fix once we run into it.
But if we merge it we can announce it for 15 so app devs can start preparing as well.

@ChristophWurst

Let's do this

@@ -49,7 +49,7 @@ class ContentSecurityPolicy extends EmptyContentSecurityPolicy {
* TODO: Disallow per default

This comment has been minimized.

@ChristophWurst
@ChristophWurst

This comment has been minimized.

Member

ChristophWurst commented Oct 9, 2018

This will kill of OC.AddScript

* Need to look into affected apps

https://github.com/search?q=%22OC.AddScript%22&type=Code have fun 馃檲

@ChristophWurst

This comment has been minimized.

Member

ChristophWurst commented Oct 9, 2018

馃挜
bildschirmfoto von 2018-10-09 08-50-24

@MorrisJobke

This comment has been minimized.

Member

MorrisJobke commented Oct 9, 2018

  • Need to look into affected apps

I only have found richdocuments and files_texteditor. 馃し鈥嶁檪锔

@ChristophWurst

This comment has been minimized.

Member

ChristophWurst commented Oct 9, 2018

I only have found richdocuments and files_texteditor. man_shrugging

I've pushed my fix that replaces the eval code with $.getScript. Could you please test if this actually works for these apps?

@rullzer

This comment has been minimized.

Member

rullzer commented Oct 9, 2018

@ChristophWurst richdocuments still works with this! yay!

@rullzer rullzer force-pushed the feature/no_eval_csp branch from dd1d0ce to ea0d692 Oct 10, 2018

.htaccess Outdated
#### DO NOT CHANGE ANYTHING ABOVE THIS LINE ####
ErrorDocument 403 /
ErrorDocument 404 /

This comment has been minimized.

@MorrisJobke
@MorrisJobke

Tested and didn't explode 馃憤

@MorrisJobke MorrisJobke force-pushed the feature/no_eval_csp branch from ea0d692 to ca3d964 Oct 10, 2018

@MorrisJobke

This comment has been minimized.

Member

MorrisJobke commented Oct 11, 2018

JS unit fails.

PhantomJS 2.1.1 (Linux 0.0.0) OC.L10N tests plurals generates plural for default text when translation does not exist FAILED
	Expected spy warn to have been called.
	core/js/tests/specs/l10nSpec.js:90:41
PhantomJS 2.1.1 (Linux 0.0.0) OC.L10N tests plurals generates plural with default function when no forms specified FAILED
	Expected spy warn to have been called.
	core/js/tests/specs/l10nSpec.js:110:41
	TypeError: undefined is not an object (evaluating 'locale.length') in core/js/l10n.js (line 9)
	_getPlural@core/js/l10n.js:9:5835
	translatePlural@core/js/l10n.js:9:4906
	[native code]
	checkPlurals@core/js/tests/specs/l10nSpec.js:73:6
	core/js/tests/specs/l10nSpec.js:111:16
PhantomJS 2.1.1 (Linux 0.0.0) OC.L10N tests plurals generates plural with generated function when forms is specified FAILED
	TypeError: undefined is not an object (evaluating 'locale.length') in core/js/l10n.js (line 9)
	_getPlural@core/js/l10n.js:9:5835
	translatePlural@core/js/l10n.js:9:4906
	[native code]
	checkPlurals@core/js/tests/specs/l10nSpec.js:73:6
	core/js/tests/specs/l10nSpec.js:118:16
PhantomJS 2.1.1 (Linux 0.0.0) OC.L10N tests plurals generates plural with function when forms is specified as function FAILED
	TypeError: undefined is not an object (evaluating 'locale.length') in core/js/l10n.js (line 9)
	_getPlural@core/js/l10n.js:9:5835
	translatePlural@core/js/l10n.js:9:4906
	[native code]
	checkPlurals@core/js/tests/specs/l10nSpec.js:73:6
	core/js/tests/specs/l10nSpec.js:130:16
PhantomJS 2.1.1 (Linux 0.0.0) OC.L10N tests async loading of translations calls callback if translation already available FAILED
	Expected spy warn to have been called.
	core/js/tests/specs/l10nSpec.js:167:41

@rullzer rullzer force-pushed the feature/no_eval_csp branch from f738ae3 to 385cfff Oct 11, 2018

rullzer and others added some commits Sep 3, 2018

Disallow unsafe-eval by default
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
Use jQuery.getScript to dynamically load script
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
Fix plural function to be hardcoded
No more weird eval to construct a plural function.
We just use the plural function from symfony.

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>

@rullzer rullzer force-pushed the feature/no_eval_csp branch from 385cfff to 056a74e Oct 14, 2018

@rullzer rullzer merged commit 82a5833 into master Oct 14, 2018

1 check passed

continuous-integration/drone/pr the build was successful
Details

@rullzer rullzer deleted the feature/no_eval_csp branch Oct 14, 2018

@rullzer rullzer added 4. to release and removed 2. developing labels Oct 14, 2018

@tcitworld tcitworld referenced this pull request Oct 18, 2018

Open

Calendar 2.0 - Vue #926

11 of 28 tasks complete
@MorrisJobke

This comment has been minimized.

Member

MorrisJobke commented Nov 9, 2018

@Arvidas mind to open a new ticket and link here?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment