nextcloud/lib/public/Security/CSP/AddContentSecurityPolicyEve...

<?php

declare(strict_types=1);

/**
 * @copyright Copyright (c) 2019, Roeland Jago Douma <roeland@famdouma.nl>
 *
 * @author Christoph Wurst <christoph@winzerhof-wurst.at>
 * @author Morris Jobke <hey@morrisjobke.de>
 * @author Roeland Jago Douma <roeland@famdouma.nl>
 *
 * @license GNU AGPL version 3 or any later version
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU Affero General Public License as
 * published by the Free Software Foundation, either version 3 of the
 * License, or (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU Affero General Public License for more details.
 *
 * You should have received a copy of the GNU Affero General Public License
 * along with this program. If not, see <http://www.gnu.org/licenses/>.
 *
 */

namespace OCP\Security\CSP;

use OC\Security\CSP\ContentSecurityPolicyManager;
use OCP\AppFramework\Http\EmptyContentSecurityPolicy;
use OCP\EventDispatcher\Event;

/**
 * Allows to inject something into the default content policy. This is for
 * example useful when you're injecting Javascript code into a view belonging
 * to another controller and cannot modify its Content-Security-Policy itself.
 * Note that the adjustment is only applied to applications that use AppFramework
 * controllers.
 *
 * WARNING: Using this API incorrectly may make the instance more insecure.
 * Do think twice before adding whitelisting resources. Please do also note
 * that it is not possible to use the `disallowXYZ` functions.
 *
 * @since 17.0.0
 */
class AddContentSecurityPolicyEvent extends Event {

	/** @var ContentSecurityPolicyManager */
	private $policyManager;

	/**
	 * @since 17.0.0
	 */
	public function __construct(ContentSecurityPolicyManager $policyManager) {
		parent::__construct();
		$this->policyManager = $policyManager;
	}

	/**
	 * @since 17.0.0
	 */
	public function addPolicy(EmptyContentSecurityPolicy $csp): void {
		$this->policyManager->addDefaultPolicy($csp);
	}
}
Add an event to edit the CSP This introduces and event that can be listend to when we actually use the CSP. This means that apps no longer have to always inject their CSP but only do so when it is required. Yay for being lazy. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl> 2019-05-24 22:42:37 +03:00			`<?php`
Update license headers Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at> 2019-12-03 21:57:53 +03:00
Add an event to edit the CSP This introduces and event that can be listend to when we actually use the CSP. This means that apps no longer have to always inject their CSP but only do so when it is required. Yay for being lazy. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl> 2019-05-24 22:42:37 +03:00			`declare(strict_types=1);`
Update license headers Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at> 2019-12-03 21:57:53 +03:00
Add an event to edit the CSP This introduces and event that can be listend to when we actually use the CSP. This means that apps no longer have to always inject their CSP but only do so when it is required. Yay for being lazy. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl> 2019-05-24 22:42:37 +03:00			`/**`
			`* @copyright Copyright (c) 2019, Roeland Jago Douma <roeland@famdouma.nl>`
			`*`
Update license headers Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at> 2019-12-03 21:57:53 +03:00			`* @author Christoph Wurst <christoph@winzerhof-wurst.at>`
Update the license headers for Nextcloud 20 Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at> 2020-08-24 15:54:25 +03:00			`* @author Morris Jobke <hey@morrisjobke.de>`
Add an event to edit the CSP This introduces and event that can be listend to when we actually use the CSP. This means that apps no longer have to always inject their CSP but only do so when it is required. Yay for being lazy. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl> 2019-05-24 22:42:37 +03:00			`* @author Roeland Jago Douma <roeland@famdouma.nl>`
			`*`
			`* @license GNU AGPL version 3 or any later version`
			`*`
			`* This program is free software: you can redistribute it and/or modify`
			`* it under the terms of the GNU Affero General Public License as`
			`* published by the Free Software Foundation, either version 3 of the`
			`* License, or (at your option) any later version.`
			`*`
			`* This program is distributed in the hope that it will be useful,`
			`* but WITHOUT ANY WARRANTY; without even the implied warranty of`
			`* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the`
			`* GNU Affero General Public License for more details.`
			`*`
			`* You should have received a copy of the GNU Affero General Public License`
Update license headers Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at> 2019-12-03 21:57:53 +03:00			`* along with this program. If not, see <http://www.gnu.org/licenses/>.`
Add an event to edit the CSP This introduces and event that can be listend to when we actually use the CSP. This means that apps no longer have to always inject their CSP but only do so when it is required. Yay for being lazy. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl> 2019-05-24 22:42:37 +03:00			`*`
			`*/`

			`namespace OCP\Security\CSP;`

			`use OC\Security\CSP\ContentSecurityPolicyManager;`
			`use OCP\AppFramework\Http\EmptyContentSecurityPolicy;`
			`use OCP\EventDispatcher\Event;`

			`/**`
Add PHP doc for events Signed-off-by: Morris Jobke <hey@morrisjobke.de> 2020-08-10 15:24:24 +03:00			`* Allows to inject something into the default content policy. This is for`
			`* example useful when you're injecting Javascript code into a view belonging`
			`* to another controller and cannot modify its Content-Security-Policy itself.`
			`* Note that the adjustment is only applied to applications that use AppFramework`
			`* controllers.`
			`*`
			`* WARNING: Using this API incorrectly may make the instance more insecure.`
			`* Do think twice before adding whitelisting resources. Please do also note`
			* that it is not possible to use the `disallowXYZ` functions.
			`*`
Add an event to edit the CSP This introduces and event that can be listend to when we actually use the CSP. This means that apps no longer have to always inject their CSP but only do so when it is required. Yay for being lazy. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl> 2019-05-24 22:42:37 +03:00			`* @since 17.0.0`
			`*/`
			`class AddContentSecurityPolicyEvent extends Event {`

			`/** @var ContentSecurityPolicyManager */`
			`private $policyManager;`

			`/**`
			`* @since 17.0.0`
			`*/`
			`public function __construct(ContentSecurityPolicyManager $policyManager) {`
Use Symfony's new contract Event class instead of the deprecated one Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at> 2019-09-10 12:37:53 +03:00			`parent::__construct();`
Add an event to edit the CSP This introduces and event that can be listend to when we actually use the CSP. This means that apps no longer have to always inject their CSP but only do so when it is required. Yay for being lazy. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl> 2019-05-24 22:42:37 +03:00			`$this->policyManager = $policyManager;`
			`}`

			`/**`
			`* @since 17.0.0`
			`*/`
			`public function addPolicy(EmptyContentSecurityPolicy $csp): void {`
			`$this->policyManager->addDefaultPolicy($csp);`
			`}`
			`}`