mbk-lab
/
nextcloud
2
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
nextcloud/tests/lib/security
History
Lukas Reschke 809ff5ac95 Add public API to give developers the possibility to adjust the global CSP defaults 
Allows to inject something into the default content policy. This is for
example useful when you're injecting Javascript code into a view belonging
to another controller and cannot modify its Content-Security-Policy itself.
Note that the adjustment is only applied to applications that use AppFramework
controllers.

To use this from your `app.php` use `\OC::$server->getContentSecurityPolicyManager()->addDefaultPolicy($policy)`,
$policy has to be of type `\OCP\AppFramework\Http\ContentSecurityPolicy`.

To test this add something like the following into an `app.php` of any enabled app:
```
$manager = \OC::$server->getContentSecurityPolicyManager();
$policy = new \OCP\AppFramework\Http\ContentSecurityPolicy(false);
$policy->addAllowedFrameDomain('asdf');
$policy->addAllowedScriptDomain('yolo.com');

$policy->allowInlineScript(false);
$manager->addDefaultPolicy($policy);
$policy = new \OCP\AppFramework\Http\ContentSecurityPolicy(false);
$policy->addAllowedFontDomain('yolo.com');
$manager->addDefaultPolicy($policy);

$policy = new \OCP\AppFramework\Http\ContentSecurityPolicy(false);
$policy->addAllowedFrameDomain('banana.com');
$manager->addDefaultPolicy($policy);
```

If you now open the files app the policy should be:

```
Content-Security-Policy:default-src 'none';script-src yolo.com 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src yolo.com 'self';connect-src 'self';media-src 'self';frame-src asdf banana.com 'self'
```
 		2016-01-28 18:36:46 +01:00
..
csp Add public API to give developers the possibility to adjust the global CSP defaults 2016-01-28 18:36:46 +01:00
csrf Add new CSRF manager for unit testing purposes 2016-01-25 20:03:40 +01:00
certificate.php Use certificates that expire in 10 years 2015-08-27 22:23:08 +02:00
certificatemanager.php Allow admins to add system wide root certificates 2016-01-12 12:50:59 +01:00
credentialsmanager.php fix test 2016-01-18 12:08:58 +01:00
crypto.php Make remaining files extend the test base 2014-11-19 14:53:59 +01:00
hasher.php Move the helpful method to the TestCase class 2015-06-03 12:33:29 +02:00
securerandom.php getMediumStrengthGenerator is deprecated and does not do anything anymore 2016-01-11 20:06:30 +01:00
trusteddomainhelper.php Do not trust casting 2015-12-08 08:50:00 +01:00