feat: no iframe, remove view route, csp for iframe

smarinier · smarinier · commit 56e014938ba8 · 2024-11-05T14:37:46.000+01:00
Signed-off-by: Sebastien Marinier &lt;seb@smarinier.net&gt;
diff --git a/appinfo/routes.php b/appinfo/routes.php
@@ -6,7 +6,6 @@
 return [
 	'routes' => [
 		['name' => 'page#index', 'url' => '/', 'verb' => 'GET'],
-		['name' => 'page#view', 'url' => '/view/{app}', 'verb' => 'GET'],
 		['name' => 'apps#index', 'url' => '/apps', 'verb' => 'GET'],
 		['name' => 'apps#load', 'url' => '/apps/{app}', 'verb' => 'GET'],
 	]
diff --git a/lib/Controller/PageController.php b/lib/Controller/PageController.php
@@ -5,30 +5,17 @@
 
 namespace OCA\OCSAPIViewer\Controller;
 
-use OC\Security\CSP\ContentSecurityPolicyNonceManager;
 use OCA\OCSAPIViewer\AppInfo\Application;
-use OCA\Theming\Service\ThemesService;
-use OCP\App\IAppManager;
 use OCP\AppFramework\Controller;
-use OCP\AppFramework\Http\ContentSecurityPolicy;
 use OCP\AppFramework\Http\TemplateResponse;
 use OCP\IRequest;
 use OCP\Util;
 
 class PageController extends Controller {
-	private ThemesService $themesService;
-	private IAppManager $appManager;
-	private ContentSecurityPolicyNonceManager $nonceManager;
 
 	public function __construct(
 		IRequest $request,
-		ThemesService $themesService,
-		IAppManager $appManager,
-		ContentSecurityPolicyNonceManager $nonceManager
 	) {
-		$this->appManager = $appManager;
-		$this->themesService = $themesService;
-		$this->nonceManager = $nonceManager;
 		parent::__construct(Application::APP_ID, $request);
 	}
 
@@ -39,40 +26,7 @@ public function __construct(
 	public function index(): TemplateResponse {
 		Util::addScript(Application::APP_ID, Application::APP_ID . '-main');
 
-		$response = new TemplateResponse(Application::APP_ID, 'main');
-		$csp = new ContentSecurityPolicy();
-		$csp->addAllowedFrameDomain("'self'");
-		$response->setContentSecurityPolicy($csp);
-		return $response;
+		return new TemplateResponse(Application::APP_ID, 'main');
 	}
 
-	/**
-	 * @NoAdminRequired
-	 * @NoCSRFRequired
-	 */
-	public function view(string $app): TemplateResponse {
-		// We can't load the script and initial state here, because otherwise all the other scripts would load too
-
-		$theme = 'system';
-		$enabledThemes = array_map(fn(string $id) => explode('-', $id)[0], $this->themesService->getEnabledThemes());
-		if (count(array_filter($enabledThemes, fn(string $id) => $id == 'dark')) > 0) {
-			$theme = 'dark';
-		} else if (count(array_filter($enabledThemes, fn(string $id) => $id == 'light')) > 0) {
-			$theme = 'light';
-		}
-
-		$response = new TemplateResponse(Application::APP_ID, 'iframe', [
-			'app' => $app,
-			'viewer-root' => $this->appManager->getAppWebPath(Application::APP_ID),
-			'theme' => $theme,
-			'nonce' => $this->nonceManager->getNonce(),
-		], TemplateResponse::RENDER_AS_BLANK);
-		$csp = new ContentSecurityPolicy();
-		$csp->addAllowedFrameAncestorDomain("'self'");
-		$csp->addAllowedScriptDomain("'unsafe-eval'");
-		$csp->addAllowedScriptDomain("'unsafe-inline'");
-		$csp->addAllowedScriptDomain('*');
-		$response->setContentSecurityPolicy($csp);
-		return $response;
-	}
 }

Original file line number	Diff line number	Diff line change
`@@ -6,7 +6,6 @@`
`6`	`6`	`return [`
`7`	`7`	`'routes' => [`
`8`	`8`	`['name' => 'page#index', 'url' => '/', 'verb' => 'GET'],`
`9`		`- ['name' => 'page#view', 'url' => '/view/{app}', 'verb' => 'GET'],`
`10`	`9`	`['name' => 'apps#index', 'url' => '/apps', 'verb' => 'GET'],`
`11`	`10`	`['name' => 'apps#load', 'url' => '/apps/{app}', 'verb' => 'GET'],`
`12`	`11`	`]`