Add Content Security Policy handling for ReCaptcha and hCaptcha

Bug: T250544 Change-Id: I280054a8252c991cca04ec74bdb41e079c885d99
2024-11-27 09:30:06 +00:00 · 2020-04-18 11:48:07 +02:00 · 2020-04-18 11:48:07 +02:00 · 9aba484800
parent 4cd8e7664f
commit 9aba484800
5 changed files with 40 additions and 0 deletions
--- a/ReCaptchaNoCaptcha/includes/HTMLReCaptchaNoCaptchaField.php
+++ b/ReCaptchaNoCaptcha/includes/HTMLReCaptchaNoCaptchaField.php
@ -41,6 +41,8 @@ class HTMLReCaptchaNoCaptchaField extends HTMLFormField {
 			'g-recaptchascript',
 			"<script src=\"https://www.recaptcha.net/recaptcha/api.js?hl={$lang}\" async defer></script>"
 		);
+		ReCaptchaNoCaptcha::addCSPSources( $out->getCSP() );
+
 		$output = Html::element( 'div', [
 			'class' => [
 				'g-recaptcha',
--- a/ReCaptchaNoCaptcha/includes/ReCaptchaNoCaptcha.php
+++ b/ReCaptchaNoCaptcha/includes/ReCaptchaNoCaptcha.php
@ -62,6 +62,13 @@ HTML;
 		];
 	}

+	/**
+	 * @return string[]
+	 */
+	public static function getCSPUrls() {
+		return [ 'https://www.recaptcha.net/recaptcha/api.js' ];
+	}
+
 	/**
 	 * @param Status|array|string $info
 	 */
--- a/SimpleCaptcha/SimpleCaptcha.php
+++ b/SimpleCaptcha/SimpleCaptcha.php
@ -154,6 +154,27 @@ class SimpleCaptcha {
 		];
 	}

+	/**
+	 * @return string[]
+	 */
+	public static function getCSPUrls() {
+		return [];
+	}
+
+	/**
+	 * Adds the CSP policies necessary for the captcha module to work in a CSP enforced
+	 * setup.
+	 *
+	 * @param ContentSecurityPolicy $csp The CSP instance to add the policies to, usually
+	 * obtained from {@link OutputPage::getCSP()}
+	 */
+	public static function addCSPSources( ContentSecurityPolicy $csp ) {
+		foreach ( static::getCSPUrls() as $src ) {
+			$csp->addScriptSrc( $src );
+			$csp->addStyleSrc( $src );
+		}
+	}
+
 	/**
 	 * Uses getFormInformation() to get the CAPTCHA form and adds it to the given
 	 * OutputPage object.
@ -173,6 +194,8 @@ class SimpleCaptcha {
 	 * @param array $formInformation
 	 */
 	public function addFormInformationToOutput( OutputPage $out, array $formInformation ) {
+		static::addCSPSources( $out->getCSP() );
+
 		if ( !$formInformation ) {
 			return;
 		}
--- a/hCaptcha/includes/HCaptcha.php
+++ b/hCaptcha/includes/HCaptcha.php
@ -46,6 +46,13 @@ class HCaptcha extends SimpleCaptcha {
 		];
 	}

+	/**
+	 * @return string[]
+	 */
+	public static function getCSPUrls() {
+		return [ 'https://hcaptcha.com', 'https://*.hcaptcha.com' ];
+	}
+
 	/**
 	 * @param Status|array|string $info
 	 */
--- a/hCaptcha/includes/HTMLHCaptchaField.php
+++ b/hCaptcha/includes/HTMLHCaptchaField.php
@ -38,6 +38,7 @@ class HTMLHCaptchaField extends HTMLFormField {
 			'h-captcha',
 			"<script src=\"https://hcaptcha.com/1/api.js\" async defer></script>"
 		);
+		HCaptcha::addCSPSources( $out->getCSP() );
 		return Html::element( 'div', [
 			'class' => [
 				'h-captcha',