diff options
Diffstat (limited to 'Bugzilla')
| -rw-r--r-- | Bugzilla/CGI.pm | 46 | ||||
| -rw-r--r-- | Bugzilla/CGI/ContentSecurityPolicy.pm | 1 | ||||
| -rw-r--r-- | Bugzilla/Template.pm | 5 |
3 files changed, 44 insertions, 8 deletions
diff --git a/Bugzilla/CGI.pm b/Bugzilla/CGI.pm index 78987ab71..91dec7e72 100644 --- a/Bugzilla/CGI.pm +++ b/Bugzilla/CGI.pm @@ -33,13 +33,41 @@ BEGIN { use constant DEFAULT_CSP => ( default_src => [ 'self' ], - script_src => [ 'self', 'https://login.persona.org', 'unsafe-inline', 'unsafe-eval' ], - child_src => [ 'self', 'https://login.persona.org' ], + script_src => [ 'self', 'unsafe-inline', 'unsafe-eval' ], + child_src => [ 'self', ], img_src => [ 'self', 'https://secure.gravatar.com' ], style_src => [ 'self', 'unsafe-inline' ], - disable => 1, + object_src => [ 'none' ], + form_action => [ + 'self', + # used in template/en/default/search/search-google.html.tmpl + 'https://www.google.com/search' + ], + frame_ancestors => [ 'none' ], + disable => 1, ); +# Because show_bug code lives in many different .cgi files, +# we needed a centralized place to define the policy. +# normally the policy would just live in one .cgi file. +# Additionally, correct_urlbase() cannot be called at compile time, so this can't be a constant. +sub SHOW_BUG_MODAL_CSP { + return ( + script_src => ['self', 'nonce', 'unsafe-inline', 'unsafe-eval' ], + object_src => [correct_urlbase() . "extensions/BugModal/web/ZeroClipboard/ZeroClipboard.swf"], + connect_src => [ + 'self', + # This is from extensions/OrangeFactor/web/js/orange_factor.js + 'https://brasstacks.mozilla.com/orangefactor/api/count', + ], + child_src => [ + 'self', + # This is for the socorro lens addon and is to be removed by Bug 1332016 + 'https://ashughes1.github.io/bugzilla-socorro-lens/chart.htm' + ], + ); +} + sub _init_bz_cgi_globals { my $invocant = shift; # We need to disable output buffering - see bug 179174 @@ -143,9 +171,9 @@ sub content_security_policy { my ($self, %add_params) = @_; if (Bugzilla->has_feature('csp')) { require Bugzilla::CGI::ContentSecurityPolicy; - return $self->{Bugzilla_csp} if $self->{Bugzilla_csp}; - my %params = DEFAULT_CSP; - if (%add_params) { + if (%add_params || !$self->{Bugzilla_csp}) { + my %params = DEFAULT_CSP; + delete $params{disable} if %add_params && !$add_params{disable}; foreach my $key (keys %add_params) { if (defined $add_params{$key}) { $params{$key} = $add_params{$key}; @@ -154,8 +182,10 @@ sub content_security_policy { delete $params{$key}; } } + $self->{Bugzilla_csp} = Bugzilla::CGI::ContentSecurityPolicy->new(%params); } - return $self->{Bugzilla_csp} = Bugzilla::CGI::ContentSecurityPolicy->new(%params); + + return $self->{Bugzilla_csp}; } return undef; } @@ -455,7 +485,7 @@ sub header { $headers{'-x_content_type_options'} = 'nosniff'; my $csp = $self->content_security_policy; - $csp->add_cgi_headers(\%headers) if defined $csp; + $csp->add_cgi_headers(\%headers) if defined $csp && !$csp->disable; Bugzilla::Hook::process('cgi_headers', { cgi => $self, headers => \%headers } diff --git a/Bugzilla/CGI/ContentSecurityPolicy.pm b/Bugzilla/CGI/ContentSecurityPolicy.pm index 74bce6374..022d49b44 100644 --- a/Bugzilla/CGI/ContentSecurityPolicy.pm +++ b/Bugzilla/CGI/ContentSecurityPolicy.pm @@ -37,6 +37,7 @@ my @ALL_SRC = qw( default_src child_src connect_src font_src img_src media_src object_src script_src style_src + frame_ancestors form_action ); has \@ALL_SRC => ( is => 'ro', isa => $SOURCE_LIST, predicate => 1 ); diff --git a/Bugzilla/Template.pm b/Bugzilla/Template.pm index eb1496fca..2887f0138 100644 --- a/Bugzilla/Template.pm +++ b/Bugzilla/Template.pm @@ -1000,6 +1000,11 @@ sub create { # Currenly active language 'current_language' => sub { return Bugzilla->current_language; }, + 'script_nonce' => sub { + my $cgi = Bugzilla->cgi; + return $cgi->csp_nonce ? sprintf('nonce="%s"', $cgi->csp_nonce) : ''; + }, + # If an sudo session is in progress, this is the user who # started the session. 'sudoer' => sub { return Bugzilla->sudoer; }, |