|
|
|
|
@ -212,34 +212,6 @@ class OC { |
|
|
|
|
} |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
/* |
|
|
|
|
* This function adds some security related headers to all requests served via base.php |
|
|
|
|
* The implementation of this function has to happen here to ensure that all third-party |
|
|
|
|
* components (e.g. SabreDAV) also benefit from this headers. |
|
|
|
|
*/ |
|
|
|
|
public static function addSecurityHeaders() { |
|
|
|
|
header('X-XSS-Protection: 1; mode=block'); // Enforce browser based XSS filters |
|
|
|
|
header('X-Content-Type-Options: nosniff'); // Disable sniffing the content type for IE |
|
|
|
|
|
|
|
|
|
// iFrame Restriction Policy |
|
|
|
|
$xFramePolicy = OC_Config::getValue('xframe_restriction', true); |
|
|
|
|
if($xFramePolicy) { |
|
|
|
|
header('X-Frame-Options: Sameorigin'); // Disallow iFraming from other domains |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
// Content Security Policy |
|
|
|
|
// If you change the standard policy, please also change it in config.sample.php |
|
|
|
|
$policy = OC_Config::getValue('custom_csp_policy', |
|
|
|
|
'default-src \'self\'; ' |
|
|
|
|
.'script-src \'self\' \'unsafe-eval\'; ' |
|
|
|
|
.'style-src \'self\' \'unsafe-inline\'; ' |
|
|
|
|
.'frame-src *; ' |
|
|
|
|
.'img-src *; ' |
|
|
|
|
.'font-src \'self\' data:; ' |
|
|
|
|
.'media-src *'); |
|
|
|
|
header('Content-Security-Policy:'.$policy); |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
public static function checkSSL() { |
|
|
|
|
// redirect to https site if configured |
|
|
|
|
if (OC_Config::getValue("forcessl", false)) { |
|
|
|
|
@ -545,7 +517,7 @@ class OC { |
|
|
|
|
self::checkConfig(); |
|
|
|
|
self::checkInstalled(); |
|
|
|
|
self::checkSSL(); |
|
|
|
|
self::addSecurityHeaders(); |
|
|
|
|
OC_Response::addSecurityHeaders(); |
|
|
|
|
|
|
|
|
|
$errors = OC_Util::checkServer(); |
|
|
|
|
if (count($errors) > 0) { |
|
|
|
|
|
Thomas Müller
12 years ago