mbk-lab
/
nextcloud
2
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
nextcloud/tests/lib/appframework
History
Lukas Reschke 809ff5ac95 Add public API to give developers the possibility to adjust the global CSP defaults 
Allows to inject something into the default content policy. This is for
example useful when you're injecting Javascript code into a view belonging
to another controller and cannot modify its Content-Security-Policy itself.
Note that the adjustment is only applied to applications that use AppFramework
controllers.

To use this from your `app.php` use `\OC::$server->getContentSecurityPolicyManager()->addDefaultPolicy($policy)`,
$policy has to be of type `\OCP\AppFramework\Http\ContentSecurityPolicy`.

To test this add something like the following into an `app.php` of any enabled app:
```
$manager = \OC::$server->getContentSecurityPolicyManager();
$policy = new \OCP\AppFramework\Http\ContentSecurityPolicy(false);
$policy->addAllowedFrameDomain('asdf');
$policy->addAllowedScriptDomain('yolo.com');

$policy->allowInlineScript(false);
$manager->addDefaultPolicy($policy);
$policy = new \OCP\AppFramework\Http\ContentSecurityPolicy(false);
$policy->addAllowedFontDomain('yolo.com');
$manager->addDefaultPolicy($policy);

$policy = new \OCP\AppFramework\Http\ContentSecurityPolicy(false);
$policy->addAllowedFrameDomain('banana.com');
$manager->addDefaultPolicy($policy);
```

If you now open the files app the policy should be:

```
Content-Security-Policy:default-src 'none';script-src yolo.com 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src yolo.com 'self';connect-src 'self';media-src 'self';frame-src asdf banana.com 'self'
```
 		2016-01-28 18:36:46 +01:00
..
controller Remove dependency on ICrypto + use XOR 2015-10-21 17:33:41 +02:00
db If the execute method on the mapper receives an assoc array, it binds by value instead of index 2015-03-19 17:08:46 +01:00
dependencyinjection Mock DIContainer to not hit the database 2015-11-30 10:55:05 +01:00
http Add public API to give developers the possibility to adjust the global CSP defaults 2016-01-28 18:36:46 +01:00
middleware Add public API to give developers the possibility to adjust the global CSP defaults 2016-01-28 18:36:46 +01:00
routing fix tests 2015-11-27 17:05:58 +01:00
utility Fix unit test 2015-12-24 09:20:26 +01:00
AppTest.php Apply DB group annotation ... 2015-11-30 10:55:05 +01:00