diff options
Diffstat (limited to 'Bugzilla/CGI/ContentSecurityPolicy.pm')
| -rw-r--r-- | Bugzilla/CGI/ContentSecurityPolicy.pm | 154 |
1 files changed, 78 insertions, 76 deletions
diff --git a/Bugzilla/CGI/ContentSecurityPolicy.pm b/Bugzilla/CGI/ContentSecurityPolicy.pm index 50a399cdc..557a896ab 100644 --- a/Bugzilla/CGI/ContentSecurityPolicy.pm +++ b/Bugzilla/CGI/ContentSecurityPolicy.pm @@ -17,123 +17,125 @@ use Type::Utils; use Bugzilla::Util qw(generate_random_password); -my $SRC_KEYWORD = enum['none', 'self', 'unsafe-inline', 'unsafe-eval', 'nonce']; +my $SRC_KEYWORD + = enum ['none', 'self', 'unsafe-inline', 'unsafe-eval', 'nonce']; my $SRC_URI = declare as Str, where { - $_ =~ m{ + $_ =~ m{ ^(?: https?:// )? # optional http:// or https:// [*A-Za-z0-9.-]+ # hostname including wildcards. Possibly too permissive. (?: :[0-9]+ )? # optional port }x; }; -my $SRC = $SRC_KEYWORD | $SRC_URI; -my $SOURCE_LIST = ArrayRef[$SRC]; -my $REFERRER_KEYWORD = enum [qw( +my $SRC = $SRC_KEYWORD | $SRC_URI; +my $SOURCE_LIST = ArrayRef [$SRC]; +my $REFERRER_KEYWORD = enum [ + qw( no-referrer no-referrer-when-downgrade origin origin-when-cross-origin unsafe-url -)]; + ) +]; my @ALL_BOOL = qw( sandbox upgrade_insecure_requests ); -my @ALL_SRC = qw( - default_src worker_src connect_src - font_src img_src media_src - object_src script_src style_src - frame_src frame_ancestors form_action +my @ALL_SRC = qw( + default_src worker_src connect_src + font_src img_src media_src + object_src script_src style_src + frame_src frame_ancestors form_action ); -has \@ALL_SRC => ( is => 'ro', isa => $SOURCE_LIST, predicate => 1 ); -has \@ALL_BOOL => ( is => 'ro', isa => Bool, default => 0 ); -has 'report_uri' => ( is => 'ro', isa => Str, predicate => 1 ); -has 'base_uri' => ( is => 'ro', isa => Str, predicate => 1 ); -has 'report_only' => ( is => 'ro', isa => Bool ); -has 'referrer' => ( is => 'ro', isa => $REFERRER_KEYWORD, predicate => 1 ); -has 'value' => ( is => 'lazy' ); -has 'nonce' => ( is => 'lazy', init_arg => undef, predicate => 1 ); -has 'disable' => ( is => 'ro', isa => Bool, default => 0 ); +has \@ALL_SRC => (is => 'ro', isa => $SOURCE_LIST, predicate => 1); +has \@ALL_BOOL => (is => 'ro', isa => Bool, default => 0); +has 'report_uri' => (is => 'ro', isa => Str, predicate => 1); +has 'base_uri' => (is => 'ro', isa => Str, predicate => 1); +has 'report_only' => (is => 'ro', isa => Bool); +has 'referrer' => (is => 'ro', isa => $REFERRER_KEYWORD, predicate => 1); +has 'value' => (is => 'lazy'); +has 'nonce' => (is => 'lazy', init_arg => undef, predicate => 1); +has 'disable' => (is => 'ro', isa => Bool, default => 0); sub _has_directive { - my ($self, $directive) = @_; - my $method = 'has_' . $directive; - return $self->$method; + my ($self, $directive) = @_; + my $method = 'has_' . $directive; + return $self->$method; } sub header_names { - my ($self) = @_; - my @names = ('Content-Security-Policy'); - if ($self->report_only) { - return map { $_ . '-Report-Only' } @names; - } - else { - return @names; - } + my ($self) = @_; + my @names = ('Content-Security-Policy'); + if ($self->report_only) { + return map { $_ . '-Report-Only' } @names; + } + else { + return @names; + } } sub add_cgi_headers { - my ($self, $headers) = @_; - return if $self->disable; - foreach my $name ($self->header_names) { - $headers->{"-$name"} = $self->value; - } + my ($self, $headers) = @_; + return if $self->disable; + foreach my $name ($self->header_names) { + $headers->{"-$name"} = $self->value; + } } sub _build_value { - my $self = shift; - my @result; - - my @list_directives = (@ALL_SRC); - my @boolean_directives = (@ALL_BOOL); - my @single_directives = qw(report_uri base_uri); - - foreach my $directive (@list_directives) { - next unless $self->_has_directive($directive); - my @values = map { $self->_quote($_) } @{ $self->$directive }; - if (@values) { - push @result, join(' ', _name($directive), @values); - } + my $self = shift; + my @result; + + my @list_directives = (@ALL_SRC); + my @boolean_directives = (@ALL_BOOL); + my @single_directives = qw(report_uri base_uri); + + foreach my $directive (@list_directives) { + next unless $self->_has_directive($directive); + my @values = map { $self->_quote($_) } @{$self->$directive}; + if (@values) { + push @result, join(' ', _name($directive), @values); } + } - foreach my $directive (@single_directives) { - next unless $self->_has_directive($directive); - my $value = $self->$directive; - if (defined $value) { - push @result, _name($directive) . ' ' . $value; - } + foreach my $directive (@single_directives) { + next unless $self->_has_directive($directive); + my $value = $self->$directive; + if (defined $value) { + push @result, _name($directive) . ' ' . $value; } + } - foreach my $directive (@boolean_directives) { - if ($self->$directive) { - push @result, _name($directive); - } + foreach my $directive (@boolean_directives) { + if ($self->$directive) { + push @result, _name($directive); } + } - return join('; ', @result); + return join('; ', @result); } sub _build_nonce { - return generate_random_password(48); + return generate_random_password(48); } sub _name { - my $name = shift; - $name =~ tr/_/-/; - return $name; + my $name = shift; + $name =~ tr/_/-/; + return $name; } sub _quote { - my ($self, $val) = @_; - - if ($val eq 'nonce') { - return q{'nonce-} . $self->nonce . q{'}; - } - elsif ($SRC_KEYWORD->check($val)) { - return qq{'$val'}; - } - else { - return $val; - } + my ($self, $val) = @_; + + if ($val eq 'nonce') { + return q{'nonce-} . $self->nonce . q{'}; + } + elsif ($SRC_KEYWORD->check($val)) { + return qq{'$val'}; + } + else { + return $val; + } } - 1; __END__ |