Commit Graph

52 Commits

Author SHA1 Message Date
Lukas Reschke 38b3ac8213
Add ContentSecurityPolicyNonceManager
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2016-10-24 16:35:31 +02:00
Lukas Reschke 9e6634814e
Add support for CSP nonces
CSP nonces are a feature available with CSP v2. Basically instead of saying "JS resources from the same domain are ok to be served" we now say "Ressources from everywhere are allowed as long as they add a `nonce` attribute to the script tag with the right nonce.

At the moment the nonce is basically just a `<?php p(base64_encode($_['requesttoken'])) ?>`, we have to decode the requesttoken since `:` is not an allowed value in the nonce. So if somebody does on their own include JS files (instead of using the `addScript` public API, they now must also include that attribute.)

IE does currently not implement CSP v2, thus there is a whitelist included that delivers the new CSP v2 policy to newer browsers. Check http://caniuse.com/#feat=contentsecuritypolicy2 for the current browser support list. An alternative approach would be to just add `'unsafe-inline'` as well as `'unsafe-inline'` is ignored by CSPv2 when a nonce is set. But this would make this security feature unusable at all in IE. Not worth it at the moment IMO.

Implementing this offers the following advantages:

1. **Security:** As we host resources from the same domain by design we don't have to worry about 'self' anymore being in the whitelist
2. **Performance:** We can move oc.js again to inline JS. This makes the loading way quicker as we don't have to load on every load of a new web page a blocking dynamically non-cached JavaScript file.

If you want to toy with CSP see also https://csp-evaluator.withgoogle.com/

Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2016-10-24 12:27:50 +02:00
Hendrik Leppelsack e5d8726859 remove ie8+9 support 2016-06-23 12:34:53 +02:00
C. Montero Luque 0393e80c7c Merge pull request #16857 from owncloud/printStylesheets
Support for print stylesheets
2016-03-31 22:13:44 +02:00
Daniel Aleksandersen 7a45f05ed5 Stupid clients only literally understand rel="icon"
rel="shortcut icon" hasn’t been relevant in years, isn’t in any
standards, and causes problems for simple pattern matching clients.
https://www.w3.org/TR/html/links.html#linkTypes
2016-03-08 21:09:34 +01:00
Hendrik Leppelsack 99b9ec41c1 support print stylesheets 2016-01-13 15:12:11 +01:00
Thomas Müller 2e8d8bf4ef Merge pull request #20236 from maprambo/safari-pinned-tab-icon
added Safari tabbed pin icon
2015-11-09 11:12:38 +01:00
maprambo edb1fee610 Added Safari tabbed pin icon
Added the necessary code and a black and inverted version of the favicon/ touch icon in svg format
2015-11-04 19:31:17 +01:00
Morris Jobke 069ed71dbe Add favicon for IE 8+ 2015-11-03 14:24:20 +01:00
Lukas Reschke 436c149fbb Prevent referer from being sent
Nice hardening for enhanced privacy. Especially useful when using embedded viewers such as files_pdfviewer.
2015-09-09 18:07:43 +02:00
Jan-Christoph Borchardt 0b27bcba76 add theme-color for better Android browser integration 2015-07-29 18:16:01 +02:00
Volker E 790324b313 addressing #14984 removing redundant type attributes 2015-03-18 05:33:17 +01:00
Volker E 4c46d0c46c addressing #14983 obsolete Google Chrome Frame 2015-03-18 02:11:47 +01:00
Volker E 6ad76b5cc2 addressing #14982 self-closing tags ending slash doesn't have a purpose & should be removed 2015-03-17 23:57:23 +01:00
Volker E 25b77159c4 adressing #14979 meta charset declaration should be first in head 2015-03-17 23:36:05 +01:00
Volker E f3cd552797 addressing #14978 - remove html root classes targeting IE6/IE7 2015-03-17 22:35:20 +01:00
Joas Schilling 4172ba48d4 Deduplicate template code and do not translate the links 2015-02-09 16:01:52 +01:00
Lukas Reschke b432ea29c9 Add `rel="noreferrer"` where possible and switch to HTTPS
Just to follow good practise and prevent some automated scanners to complain about "Cross-domain Referer leakage".
2015-02-04 16:25:37 +01:00
Lukas Reschke be19e78e69 Add requesttoken to base template
Potentially fixes https://github.com/owncloud/core/issues/12580
2014-12-05 22:23:55 +01:00
Lukas Reschke 510d0b2cf3 Fix the "addHeader($tag, $attributes, $text)" methods to not ignore the $text parameter
Also support closing tags with no text content given

Conflicts:
	lib/private/template.php
2014-10-28 11:15:58 +01:00
Clark Tomlinson ca5abe5744 Setting moment locale based on user selection 2014-10-23 10:32:47 -04:00
Lukas Reschke bce5c2dae9 Add X-UA-Compatible to all templates
Replaces https://github.com/owncloud/core/pull/10850
2014-09-11 10:28:52 +02:00
Jan-Christoph Borchardt bd56619e7a also add no-JavaScript notice to log in and sharing pages because they do not work without JS either 2014-09-08 18:07:20 +02:00
Clark Tomlinson e0a8321b23 Adding type to favicon 2014-08-22 16:26:39 -04:00
Thomas Müller cbe3595f64 using flush() here is pointless as we render the layout into a memory buffer and actually transmit the data later 2014-08-08 15:44:11 +02:00
Morris Jobke cea7d4961e move to updated version of placeholder 2014-06-03 16:18:06 +02:00
Thomas Müller 30168169b9 Flush the Buffer Early - right after head 2014-04-15 16:56:45 +02:00
Jan-Christoph Borchardt 74eb9bea22 add 'body-public' ID to body in base layout so it can be identified via CSS 2014-03-14 11:08:16 +01:00
Jan-Christoph Borchardt 3e803b5e36 restrict zooming on mobile devices for the publicly accessible, optimized pages 2014-01-17 14:41:05 +01:00
Vincent Petry f8c865993f Fixed viewport layout using commas instead of semicolons
Fixes #5285
2013-10-11 12:52:34 +02:00
Jan-Christoph Borchardt 94ae66c651 fix web interface showing very small when accessed on smartphone 2013-10-06 22:50:11 +03:00
Björn Schießle 75fd6d4fde initialize OC_Defaults in template constructorX 2013-07-24 11:51:21 +02:00
Jan-Christoph Borchardt aacca494c5 introduce shortname themable string and split from title, use for image alt text 2013-07-11 16:38:07 +02:00
Björn Schießle 3c691c9ec9 move to non-static OC_Defaults
Conflicts:

	lib/mail.php
2013-07-04 10:11:16 +02:00
Björn Schießle d46e62886a Add init funtion to OC_Defaults to be able to wrap translatable strings 2013-07-04 10:09:28 +02:00
Björn Schießle b29e01d5cf keep all strings in one place to make it easier to change them 2013-06-12 15:15:08 +02:00
Björn Schießle 7c108edc36 mage page title aware of ownCloud edition 2013-06-12 14:33:24 +02:00
Jörn Friedrich Dreyer 9cb5bf0a28 add ie css switch to layout templates 2013-03-03 13:57:20 +01:00
Lukas Reschke 39e28c0170 Typo... 2013-02-27 23:19:38 +01:00
Lukas Reschke 229c907a57 [core] From echo to p 2013-02-27 22:55:39 +01:00
Bernhard Posselt b537cecdf3 add CSP turned on for angularjs 2013-02-25 22:54:05 +01:00
Bart Visscher 1a747b3e48 Style cleanup core dir 2013-02-21 23:47:21 +01:00
Bart Visscher 149d079fd4 Move loading of js_config to templatelayout
Also check for installed flag because this isn't available before setup
2013-02-07 08:09:53 +01:00
Lukas Reschke fe56e4df7d Fix merge conflict 2013-01-23 11:32:14 +01:00
Lukas Reschke c8bbbb48d3 Merge master... 2013-01-23 11:30:40 +01:00
Lukas Reschke 5fff57339f Move config to core/js/config.php 2013-01-21 00:10:47 +01:00
Michael Gapczynski d39655e126 Move template parameters around so database error page is properly rendered 2013-01-07 14:15:51 -05:00
Thomas Tanghus b51b9539d0 Very simple js console switcher. 2012-11-15 19:43:10 +01:00
Lukas Reschke 7a7f12a0c1 Create only one CSRF token per session
Before, the CSRF token expired every hour. We had a script in place
which should refresh the token but this don't worked in every case.
(Laptop sleeping etc.)

With this commit, the token will only get once created for every
session so that the "Token expired" warning shouldn't appear.
2012-10-31 18:37:59 +01:00
Björn Schießle f493e97f5d always generate access token, also for forms shown to anonymous users (e.g. public shares) 2012-10-05 10:32:38 +02:00