* we introduced this setting in the begining because our
avatar support caused some performance issues, but we
fixed them and should only provide one way how Nextcloud
looks
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
CSP nonces are a feature available with CSP v2. Basically instead of saying "JS resources from the same domain are ok to be served" we now say "Ressources from everywhere are allowed as long as they add a `nonce` attribute to the script tag with the right nonce.
At the moment the nonce is basically just a `<?php p(base64_encode($_['requesttoken'])) ?>`, we have to decode the requesttoken since `:` is not an allowed value in the nonce. So if somebody does on their own include JS files (instead of using the `addScript` public API, they now must also include that attribute.)
IE does currently not implement CSP v2, thus there is a whitelist included that delivers the new CSP v2 policy to newer browsers. Check http://caniuse.com/#feat=contentsecuritypolicy2 for the current browser support list. An alternative approach would be to just add `'unsafe-inline'` as well as `'unsafe-inline'` is ignored by CSPv2 when a nonce is set. But this would make this security feature unusable at all in IE. Not worth it at the moment IMO.
Implementing this offers the following advantages:
1. **Security:** As we host resources from the same domain by design we don't have to worry about 'self' anymore being in the whitelist
2. **Performance:** We can move oc.js again to inline JS. This makes the loading way quicker as we don't have to load on every load of a new web page a blocking dynamically non-cached JavaScript file.
If you want to toy with CSP see also https://csp-evaluator.withgoogle.com/
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
Moves the update notification code in a single app. This is required since we want to use SSO for the new updater and for this have some code running in ownCloud as well (and we don't want that in core neccessarily). This app can provide that in the future, right now it's only the update notification itself. Will continue working on the SSO right away but wanted to keep the PR small.
Furthermore also makes some more code unit-testable...
In case the update server may deliver malicious content this would allow an adversary to inject arbitrary HTML into the response. So very bad stuff.
While signing the response would be better and something we can also do in the future (considering the code signing work), this is already a good first start.
* instead of a static rendering inside PHP use the
JS OC.Notification.showTemporary to hide the
notification after 7 seconds automatically
* fixes#14811
* Original avatarcontroller migrated to the appframework
* Added DataDisplayResponse that show data inline in the browser (used
to retrun the image)
* Removed some unneeded code
* Added unit tests for the avatarcontroller
filter installed and not-installed apps properly
kill unneeded file
load category 'Installed' on page load
adding documentation links
new apps mgmt: first style adjustment
apps mgmt: only show license and preview if they exist
adding buttons
new apps mgmt: fix for mobile
use app icon if available
new apps mgmt: position enable/disable toggle to the right
new apps mgmt: proper display of icons or previews
new apps mgmt: fix loading spinner
reenable group selection for apps
new apps mgmt: position enable button normally again
new apps mgmt: clarify wording from 'Installed' to 'Enabled'
reintroduce enable/disable
Move rating image path generation to client-side
Move expression outside of l10n
fix group handling
add buttons for 'More apps' and 'Add your app' again
disable changed date of app for now
adding recommended label
style 'Recommended' app tag
fixing php warning
sort by rating
adding meta-category 'Recommended'
Only show existing documentation links
lacy loading of screenshots
making group based app activation work again
adding support to get the app icon not only by the app name but also simply by the fixed name 'app.svg'
adding app.svg for all core apps
query string '?installed' is not longer needed
update and uninstall is back + error feedback
remove unneeded parameter
fix alignment of 'recommended' label
Julius Haertl
Morris Jobke
John Molakvoæ (skjnldsv)
Christoph Wurst
Joas Schilling
Jan-Christoph Borchardt
Roeland Jago Douma
Lukas Reschke
Hendrik Leppelsack
Lukas Reschke
C. Montero Luque
Daniel Aleksandersen
Vincent Petry
Thomas Müller
maprambo
Joas Schilling
Volker E
Joas Schilling
Lode Hoste
kondou
Clark Tomlinson
Pascal de Bruijn
Volker E.
Sander
Volkan Gezer