recaptime.dev / phorge
@recaptime-dev's working patches + fork for Phorge, a community fork of Phabricator. (Upstream dev and stable branches are at upstream/main and upstream/stable respectively.) hq.recaptime.dev/wiki/Phorge
phorge phabricator
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

Include OAuth targets in "form-action" Content-Security-Policy

Summary:
Ref T4340. Some "Register/Login" and "Link External Account" buttons are forms which submit to third-party sites. Whitelist these targets when pages render an OAuth form.

Safari, at least, also prevents a redirect to a third-party domain after a form submission to the local domain, so when we first redirect locally (as with Twitter and other OAuth1 providers) we need to authorize an additional URI.

Test Plan: Clicked all my registration buttons locally without hitting CSP issues.

Maniphest Tasks: T4340

Differential Revision: https://secure.phabricator.com/D19159

epriestley 94d340fc d5befb1a

+29 -14
+9 -8
src/aphront/response/AphrontResponse.php
··· 24 24 final public function addContentSecurityPolicyURI($kind, $uri) { 25 25 if ($this->contentSecurityPolicyURIs === null) { 26 26 $this->contentSecurityPolicyURIs = array( 27 - 'script' => array(), 28 - 'connect' => array(), 29 - 'frame' => array(), 27 + 'script-src' => array(), 28 + 'connect-src' => array(), 29 + 'frame-src' => array(), 30 + 'form-action' => array(), 30 31 ); 31 32 } 32 33 ··· 125 126 126 127 // On a small number of pages, including the Stripe workflow and the 127 128 // ReCAPTCHA challenge, we embed external Javascript directly. 128 - $csp[] = $this->newContentSecurityPolicy('script', $default); 129 + $csp[] = $this->newContentSecurityPolicy('script-src', $default); 129 130 130 131 // We need to specify that we can connect to ourself in order for AJAX 131 132 // requests to work. 132 - $csp[] = $this->newContentSecurityPolicy('connect', "'self'"); 133 + $csp[] = $this->newContentSecurityPolicy('connect-src', "'self'"); 133 134 134 135 // DarkConsole and PHPAST both use frames to render some content. 135 - $csp[] = $this->newContentSecurityPolicy('frame', "'self'"); 136 + $csp[] = $this->newContentSecurityPolicy('frame-src', "'self'"); 136 137 137 138 // This is a more modern flavor of of "X-Frame-Options" and prevents 138 139 // clickjacking attacks where the page is included in a tiny iframe and ··· 152 153 // This can result in some trickiness with file downloads if applications 153 154 // try to start downloads by submitting a dialog. Redirect to the file's 154 155 // download URI instead of submitting a form to it. 155 - $csp[] = "form-action 'self'"; 156 + $csp[] = $this->newContentSecurityPolicy('form-action', "'self'"); 156 157 157 158 // Block use of "<base>" to change the origin of relative URIs on the page. 158 159 $csp[] = "base-uri 'none'"; ··· 177 178 } 178 179 $sources = array_unique($sources); 179 180 180 - return "{$type}-src ".implode(' ', $sources); 181 + return $type.' '.implode(' ', $sources); 181 182 } 182 183 183 184 private function newContentSecurityPolicySource($uri) {
+11
src/applications/auth/provider/PhabricatorAuthProvider.php
··· 447 447 )); 448 448 } 449 449 450 + $static_response = CelerityAPI::getStaticResourceResponse(); 451 + $static_response->addContentSecurityPolicyURI('form-action', (string)$uri); 452 + 453 + foreach ($this->getContentSecurityPolicyFormActions() as $csp_uri) { 454 + $static_response->addContentSecurityPolicyURI('form-action', $csp_uri); 455 + } 456 + 450 457 return phabricator_form( 451 458 $viewer, 452 459 array( ··· 503 510 504 511 public function getAutoLoginURI(AphrontRequest $request) { 505 512 throw new PhutilMethodNotImplementedException(); 513 + } 514 + 515 + protected function getContentSecurityPolicyFormActions() { 516 + return array(); 506 517 } 507 518 508 519 }
+3
src/applications/auth/provider/PhabricatorOAuth1AuthProvider.php
··· 208 208 parent::willRenderLinkedAccount($viewer, $item, $account); 209 209 } 210 210 211 + protected function getContentSecurityPolicyFormActions() { 212 + return $this->getAdapter()->getContentSecurityPolicyFormActions(); 213 + } 211 214 212 215 /* -( Temporary Secrets )-------------------------------------------------- */ 213 216
+2 -2
src/applications/phortune/provider/PhortuneStripePaymentProvider.php
··· 285 285 ->addScript($src); 286 286 287 287 CelerityAPI::getStaticResourceResponse() 288 - ->addContentSecurityPolicyURI('script', $src) 289 - ->addContentSecurityPolicyURI('frame', $src); 288 + ->addContentSecurityPolicyURI('script-src', $src) 289 + ->addContentSecurityPolicyURI('frame-src', $src); 290 290 291 291 Javelin::initBehavior( 292 292 'stripe-payment-form',
+3 -3
src/view/form/control/AphrontFormRecaptchaControl.php
··· 43 43 $pubkey = PhabricatorEnv::getEnvConfig('recaptcha.public-key'); 44 44 45 45 CelerityAPI::getStaticResourceResponse() 46 - ->addContentSecurityPolicyURI('script', $js) 47 - ->addContentSecurityPolicyURI('script', 'https://www.gstatic.com/') 48 - ->addContentSecurityPolicyURI('frame', 'https://www.google.com/'); 46 + ->addContentSecurityPolicyURI('script-src', $js) 47 + ->addContentSecurityPolicyURI('script-src', 'https://www.gstatic.com/') 48 + ->addContentSecurityPolicyURI('frame-src', 'https://www.google.com/'); 49 49 50 50 return array( 51 51 phutil_tag(
+1 -1
src/view/page/PhabricatorStandardPageView.php
··· 584 584 ) + $this->buildAphlictListenConfigData()); 585 585 586 586 CelerityAPI::getStaticResourceResponse() 587 - ->addContentSecurityPolicyURI('connect', $client_uri); 587 + ->addContentSecurityPolicyURI('connect-src', $client_uri); 588 588 } 589 589 } 590 590