Commit Graph

18 Commits

Author SHA1 Message Date
Roeland Jago Douma 3b1e16458d
Forbid eval on legacy responses
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2019-04-09 09:58:23 +02:00
Peter Kraume 79b8703f29 Set Referrer-Policy also in addSecurityHeaders()
Fix: #12689
Signed-off-by: Peter Kraume <peter.kraume@gmx.de>
2018-11-27 16:39:06 +01:00
Morris Jobke b0a296e2e1
Do not use HTTP code OC_Response constants anymore
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2018-06-26 16:14:15 +02:00
Morris Jobke 79d9841bce
Replace hardcoded status headers with calls to http_response_code()
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2018-06-26 16:14:15 +02:00
Morris Jobke 53a899a1f5
Fix the HTTP 1.0 status code and properly detect 1.0 vs 1.1&2.0
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2018-03-13 09:22:26 +01:00
Morris Jobke e758cfcdc8
Remove unused methods of OC_Response
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2018-03-12 18:42:30 +01:00
Morris Jobke 70b1f510f2
Use normal header() calls instead of private method calls
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2018-02-19 09:40:25 +01:00
Morris Jobke 0eebff152a
Update license headers
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2017-11-06 16:56:19 +01:00
Lukas Reschke dfd8125aeb
Replace wrong PHPDocs
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2017-08-01 08:20:16 +02:00
Joas Schilling bd37021587
Fix casing of same origin frame option
Signed-off-by: Joas Schilling <coding@schilljs.com>
2017-04-12 12:37:32 +02:00
Morris Jobke dbf6b7ff86 Merge pull request #4127 from nextcloud/update-legacy-csp-policy
Update legacy CSP policy
2017-03-28 17:47:32 -06:00
Lukas Reschke 3a90ab7e0a
Update legacy CSP policy
Aligns it with the one enforced by the AppFramework

Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2017-03-28 23:55:31 +02:00
Lukas Reschke bff6c8aafc
Move X-Frame-Options into PHP
The public calendar view should be embeddable and we can't do that if the .htaccess sets a global X-Frame-Options.

Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2017-03-26 17:26:11 +02:00
Lukas Reschke fdcb8edd78
Add nonce also to legacy CSP
Pages that do not use the AppFramework have its CSP inherited from `\OC_Response::addSecurityHeaders`. While those are not many anymore, there are some examples such as the "Help" page.

To stay completely backwards-compatible we should also add the nonce to the legacy CSP response.

To test that open your browser console and open the help page. Without this you will get a JS error. With this you won't.

Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2016-10-26 09:41:18 +02:00
Sergio Bertolín 0417cbafd0
Changed request to not add a prefix to the url (#26256)
* Changed request to not add a prefix to the url

* Expecting forbidden instead of service unavailable

* Handling login exceptions
2016-10-20 17:21:08 +02:00
Joas Schilling ba87db3fcc
Fix others 2016-07-21 18:13:57 +02:00
Lukas Reschke aba539703c
Update license headers 2016-05-26 19:57:24 +02:00
Roeland Jago Douma 368be8894c
Move non PSR-4 files from lib/private root to legacy
As discussed we move all old style classes (OC_FOO_BAR) to legacy.
Then from there we can evaluate the need to convert them back or if they
can be fully deprecated/deleted.
2016-04-30 11:32:22 +02:00