From 9c0e3572f91590f130b02f4038ed188966b2d8fd Mon Sep 17 00:00:00 2001
From: tomaioo <hongsaygio.com@gmail.com>
Date: Mon, 4 May 2026 23:13:15 -0700
Subject: [PATCH] fix(security): overly permissive content security policy

The CSP in AddContentSecurityPolicyListener.php allows connections to all domains ('*') for connect-src, worker-src, and font-src. This enables the whiteboard to connect to arbitrary external servers, potentially exfiltrating data or receiving malicious content.

Signed-off-by: tomaioo <203048277+tomaioo@users.noreply.github.com>
---
 lib/Listener/AddContentSecurityPolicyListener.php | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/lib/Listener/AddContentSecurityPolicyListener.php b/lib/Listener/AddContentSecurityPolicyListener.php
index 6cf9c27f..3c9b3594 100644
--- a/lib/Listener/AddContentSecurityPolicyListener.php
+++ b/lib/Listener/AddContentSecurityPolicyListener.php
@@ -8,6 +8,7 @@
 namespace OCA\Whiteboard\Listener;
 
 use OCP\AppFramework\Http\EmptyContentSecurityPolicy;
+use OCP\AppFramework\IAppContainer;
 use OCP\EventDispatcher\Event;
 use OCP\EventDispatcher\IEventListener;
 use OCP\IRequest;
@@ -17,6 +18,7 @@
 class AddContentSecurityPolicyListener implements IEventListener {
 	public function __construct(
 		private IRequest $request,
+		private IAppContainer $appContainer,
 	) {
 	}
 
@@ -28,9 +30,12 @@ public function handle(Event $event): void {
 
 		$policy = new EmptyContentSecurityPolicy();
 
-		$policy->addAllowedConnectDomain('*');
-		$policy->addAllowedWorkerSrcDomain('*');
-		$policy->addAllowedFontDomain('*');
+		$serverUrl = $this->appContainer->getConfig()->getAppValue('whiteboard', 'collabServerUrl', '');
+		if ($serverUrl !== '') {
+			$policy->addAllowedConnectDomain($serverUrl);
+			$policy->addAllowedWorkerSrcDomain($serverUrl);
+			$policy->addAllowedFontDomain($serverUrl);
+		}
 
 		$event->addPolicy($policy);
 	}