Commit Graph

88 Commits

Author SHA1 Message Date
Joas Schilling b7060be18d
Fix robots "noindex, nofollow" signals
Signed-off-by: Joas Schilling <coding@schilljs.com>
2020-06-25 08:29:43 +02:00
Roeland Jago Douma fbf9772a3e
Allow to specify the cookie type for appframework responses
In general it is good to set them to Lax. But also to give devs more
control over them is not a bad thing.

Helps with #21474

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2020-06-22 08:38:44 +02:00
Roeland Jago Douma 4fbea316a7
Merge pull request #20897 from nextcloud/bugfix/httpcache
Proxy server could cache http response when it is not private
2020-05-13 08:27:05 +02:00
Clement Wong e9be3a9090 Add public argument to Http cacheFor()
Signed-off-by: Clement Wong <git@clement.hk>
2020-05-10 20:24:14 +02:00
Clement Wong 401210d259 Proxy server could cache http response when it is not private
Signed-off-by: Clement Wong <git@clement.hk>
2020-05-10 11:24:08 +02:00
Christoph Wurst cb057829f7
Update license headers for 19
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2020-04-29 11:57:22 +02:00
Christoph Wurst 28f8eb5dba
Add visibility to all constants
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2020-04-10 16:54:27 +02:00
Christoph Wurst caff1023ea
Format control structures, classes, methods and function
To continue this formatting madness, here's a tiny patch that adds
unified formatting for control structures like if and loops as well as
classes, their methods and anonymous functions. This basically forces
the constructs to start on the same line. This is not exactly what PSR2
wants, but I think we can have a few exceptions with "our" style. The
starting of braces on the same line is pracrically standard for our
code.

This also removes and empty lines from method/function bodies at the
beginning and end.

Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2020-04-10 14:19:56 +02:00
Christoph Wurst afbd9c4e6e
Unify function spacing to PSR2 recommendation
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2020-04-09 13:54:22 +02:00
Christoph Wurst 41b5e5923a
Use exactly one empty line after the namespace declaration
For PSR2

Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2020-04-09 11:48:10 +02:00
Christoph Wurst 2fbad1ed72
Fix (array) indent style to always use one tab
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2020-04-09 10:16:08 +02:00
Christoph Wurst 1a9330cd69
Update the license headers for Nextcloud 19
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2020-03-31 14:52:54 +02:00
Christoph Wurst 463b388589
Merge pull request #20170 from nextcloud/techdebt/remove-unused-imports
Remove unused imports
2020-03-27 17:14:08 +01:00
Christoph Wurst b80ebc9674
Use the short array syntax, everywhere
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2020-03-26 16:34:56 +01:00
Christoph Wurst 74936c49ea
Remove unused imports
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2020-03-25 22:08:08 +01:00
Pavel Krasikov 4c01326913 add docs for useJsNonce
Signed-off-by: Pavel Krasikov <klonishe@gmail.com>
2020-03-15 17:02:11 +03:00
Christoph Wurst 6127c288e8 Fix license headers
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2020-01-13 14:23:49 +01:00
Daniel Calviño Sánchez 883a71ce8e Split the menu entry for external shares in two
The external shares entry showed a "button" that, when pressed, replaced
the button with the input to set the remote share address. The "button"
was actually a label for the input, so when the label was focused it
transferred the focus to the input and thus pressing enter or space did
not show the input. Moreover, inputs inside links are not valid HTML,
and once shown there was no way to hide the input again.

Due to all this, and for consistency with the direct link input, the
external share input was moved to a different menu item that is shown
and hidden when the button, which nows is also a real button, is
clicked.

Signed-off-by: Daniel Calviño Sánchez <danxuliu@gmail.com>
2019-12-30 10:29:36 +01:00
Daniel Calviño Sánchez 33b2f4e295 Format HTML elements
Signed-off-by: Daniel Calviño Sánchez <danxuliu@gmail.com>
2019-12-30 10:29:36 +01:00
Christoph Wurst 5bf3d1bb38
Update license headers
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2019-12-05 15:38:45 +01:00
Roeland Jago Douma 68748d4f85
Some php-cs fixes
* Order the imports
* No leading slash on imports
* Empty line before namespace
* One line per import
* Empty after imports
* Emmpty line at bottom of file

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2019-11-22 20:52:10 +01:00
Roeland Jago Douma a85f2f4165
set default CSP on NotFoundResponse
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2019-09-09 22:37:12 +02:00
Roeland Jago Douma 35db32f504
Add deprecation warning
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2019-08-29 14:52:50 +02:00
Roeland Jago Douma c40fe8b819
Do not enforce the parent constructor of response to be called
If there is no policy set we just take the default empty ones.
That way no obscure errors get thrown if the constructor is not called.

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2019-08-19 14:39:34 +02:00
Roeland Jago Douma c4cafae884
frame-src doesn't respect the nonce attribute
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2019-08-16 21:29:57 +02:00
Roeland Jago Douma b8c5008acf
Add feature policy header
This adds the events and the classes to modify the feature policy.
It also adds a default restricted feature policy.

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2019-08-10 14:26:22 +02:00
Roeland Jago Douma f94ee72507
Add form-action CSP element
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2019-07-31 15:16:10 +02:00
Roeland Jago Douma cd243b0876
No need to have these classes we tighten the default CSP from time to
time

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2019-07-27 14:59:48 +02:00
Roeland Jago Douma 7276735eb4
Set empty CSP by default
For #14179

By default responses should have the strictest (and simplest) CSP
possible. Only template responses should require an actual CSP.

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2019-04-16 14:09:39 +02:00
Roeland Jago Douma 4d8e1f6c67
CSP: set nonce for iframes
This for now uses the jsNonce. That way we can easily backport it.
For 17 I will fix it properly.

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2019-03-16 20:20:03 +01:00
Joas Schilling 3203d3e806
Allow apps to redirect to the default app
Signed-off-by: Joas Schilling <coding@schilljs.com>
2019-03-01 09:19:46 +01:00
Roeland Jago Douma b68567e9ba
Add StandaloneTemplateResponse
This can be used by pages that do not have the full Nextcloud UI.
So notifications etc do not load there.

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2019-02-06 11:26:18 +01:00
Roeland Jago Douma d182037bce
Emit to load additionalscripts
Fixes #13662

This will fire of an event after a Template Response has been returned.
There is an event for the generic loading and one when logged in. So
apps can chose to load only on loged in pages.

This is a more generic approach than the files app event. As some things
we might want to load on other pages as well besides the files app.

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2019-01-31 12:11:40 +01:00
Roeland Jago Douma ad676c0102
Set default frame-ancestors to 'self'
For #13042

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2019-01-08 15:36:40 +01:00
Roeland Jago Douma 64244e1a4f
CSP: Allow fonts to be provided in data
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2019-01-07 15:07:06 +01:00
Roeland Jago Douma 58345e02d2
Basic CSP no longer deprecated
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-11-08 10:37:48 +01:00
Roeland Jago Douma 579822b6a5
Add report-uri to CSP
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-10-21 13:38:32 +02:00
Roeland Jago Douma 5b61ef9213
Disallow unsafe-eval by default
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-10-14 20:45:34 +02:00
Morris Jobke bcbffdb644
Add PHPDoc
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2018-10-02 22:35:31 +02:00
Roeland Jago Douma 7d9052d4b9
fixup! Add fix response
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-10-02 08:17:27 +02:00
Roeland Jago Douma a891f42a5d
fixup! Add fix response
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-10-02 08:16:28 +02:00
Jakob Sack a9fa220e68
Add fix response
implements #7589
2018-10-02 08:13:39 +02:00
Roeland Jago Douma 8354c50911
Deprecate the childSrc functions
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-09-04 07:35:44 +02:00
Roeland Jago Douma c8fe4b4fc8
Add workerSrc to CSP
Fixes #11035

Since the child-src directive is deprecated (we should kill it at some
point) we need to have the proper worker-src available

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-09-04 07:35:44 +02:00
Roeland Jago Douma c21cee248c
Disallow eval on the StrictEvalCSP
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-07-11 21:12:36 +02:00
Roeland Jago Douma b38fa573e1
Add stricter CSPs
* Deprecate our default CSP
* Add strict CSP that is always our strictest setting
* Add strict eval CSP (disable unsafe-eval)
* Add strict inline CSP (disables inline styles)

This is just to move forward and have a incremental improvement of our
CSP

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-06-13 14:47:57 +02:00
Roeland Jago Douma a34495933e
Move caching logic to response
This avoids having to do it at all the places we want cached responses.

We can't inject the ITimeFactor without breaking public API.
However we can perfectly overwrite the service (resulting in the same
testable effect).

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-06-04 08:48:54 +02:00
Julius Härtl 6ded1c46b7
Add since tags
Signed-off-by: Julius Härtl <jus@bitgrid.net>
2018-04-05 13:18:17 +02:00
Julius Härtl 2e60f91ab1
Move external share saving to template
Signed-off-by: Julius Härtl <jus@bitgrid.net>
2018-04-05 13:11:55 +02:00
Julius Härtl 30e76f9f14
Add footer to public page template
Signed-off-by: Julius Härtl <jus@bitgrid.net>
2018-04-05 12:22:01 +02:00