9e6634814e
CSP nonces are a feature available with CSP v2. Basically instead of saying "JS resources from the same domain are ok to be served" we now say "Ressources from everywhere are allowed as long as they add a `nonce` attribute to the script tag with the right nonce. At the moment the nonce is basically just a `<?php p(base64_encode($_['requesttoken'])) ?>`, we have to decode the requesttoken since `:` is not an allowed value in the nonce. So if somebody does on their own include JS files (instead of using the `addScript` public API, they now must also include that attribute.) IE does currently not implement CSP v2, thus there is a whitelist included that delivers the new CSP v2 policy to newer browsers. Check http://caniuse.com/#feat=contentsecuritypolicy2 for the current browser support list. An alternative approach would be to just add `'unsafe-inline'` as well as `'unsafe-inline'` is ignored by CSPv2 when a nonce is set. But this would make this security feature unusable at all in IE. Not worth it at the moment IMO. Implementing this offers the following advantages: 1. **Security:** As we host resources from the same domain by design we don't have to worry about 'self' anymore being in the whitelist 2. **Performance:** We can move oc.js again to inline JS. This makes the loading way quicker as we don't have to load on every load of a new web page a blocking dynamically non-cached JavaScript file. If you want to toy with CSP see also https://csp-evaluator.withgoogle.com/ Signed-off-by: Lukas Reschke <lukas@statuscode.ch> |
||
|---|---|---|
| .github | ||
| .idea | ||
| 3rdparty@bbe556f5a3 | ||
| apps | ||
| build | ||
| config | ||
| contribute | ||
| core | ||
| l10n | ||
| lib | ||
| ocs | ||
| ocs-provider | ||
| resources | ||
| settings | ||
| tests | ||
| themes | ||
| .bowerrc | ||
| .codecov.yml | ||
| .drone.yml | ||
| .gitignore | ||
| .gitmodules | ||
| .htaccess | ||
| .jshintrc | ||
| .lgtm | ||
| .mailmap | ||
| .mention-bot | ||
| .scrutinizer.yml | ||
| .tag | ||
| .user.ini | ||
| AUTHORS | ||
| COPYING | ||
| COPYING-README | ||
| README.md | ||
| autotest-external.sh | ||
| autotest-hhvm.sh | ||
| autotest-js.sh | ||
| autotest.sh | ||
| bower.json | ||
| buildjsdocs.sh | ||
| composer.json | ||
| console.php | ||
| cron.php | ||
| db_structure.xml | ||
| index.html | ||
| index.php | ||
| occ | ||
| public.php | ||
| remote.php | ||
| robots.txt | ||
| status.php | ||
| version.php | ||
README.md
Nextcloud
Please stay tuned while we get all the repositories up.
Meanwhile check out https://nextcloud.com and follow us on https://twitter.com/nextclouders
If you want to contribute, you are very welcome:
- on our IRC channels #nextcloud & #nextcloud-dev irc://#nextcloud-dev@freenode.net (on freenode) and
- our forum at https://help.nextcloud.com
Please read the Code of Conduct. This document offers some guidance to ensure Nextcloud participants can cooperate effectively in a positive and inspiring atmosphere, and to explain how together we can strengthen and support each other.
if you want to join the Github organization just let us know and we’ll add you! :)
This is by the community, for the community. Everyone is welcome! :)
Why is this so awesome?
- 📁 Access your Data You can store your files, contacts, calendars and more on a server of your choosing.
- 📦 Sync your Data You keep your files, contacts, calendars and more synchronized amongst your devices.
- 🔄 Share your Data You share your data with others, and give them access to your latest photo galleries, your calendar or anything else you want them to see.
- 🚀 Expandable with dozens of Apps ...like Calendar, Contacts, Mail or News.
- ☁️ All Benefits of the Cloud ...on your own Server.
- 🔒 Encryption You can encrypt data in transit with secure https connections. You can enable the encryption app to encrypt data on storage for improved security and privacy.
- ...
Installation
Read the Full Installation Documentation
- Install yourself, use our appliances or find a provider
- Set permissions
- Sync your data via Desktop or Mobile App
Contribution Guidelines
All contributions to this repository from June, 16 2016 on are considered to be licensed under the AGPLv3 or any later version.
Nextcloud doesn't require a CLA (Contributor License Agreement). The copyright belongs to all the individual contributors. Therefore we recommend that every contributor adds following line to the header of a file, if they changed it substantially:
@copyright Copyright (c) <year>, <your name> (<your email address>)
More information how to contribute: https://nextcloud.com/contribute/
Running master checkouts
Third-party components are handled as git submodules which have to be initialized first. So aside from the regular git checkout invoking git submodule update --init or a similar command is needed, for details see Git documentation.
Several apps by default included in regular releases like firstrunwizard or gallery are missing in master and have to be installed manually as required.
That aside Git checkouts can be handled the same as release archives.
Note they should never be used on production systems.
Nextcloud VM
If you're not familiar with Linux, or simply just want to get up and running on a pre-configured system in no time - we have developed a VM that you can download. Just extract it and mount it in VMware or VirtualBox and you're all set.
Download the latest version of the Nextcloud VM
Support
Learn about the different ways you can get support for Nextcloud: https://nextcloud.com/support/
Get in touch
- 📋 Forum
- #️⃣ IRC channel