mbk-lab
/
nextcloud
2
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
nextcloud/lib/private/security
History
Lukas Reschke 809ff5ac95 Add public API to give developers the possibility to adjust the global CSP defaults 
Allows to inject something into the default content policy. This is for
example useful when you're injecting Javascript code into a view belonging
to another controller and cannot modify its Content-Security-Policy itself.
Note that the adjustment is only applied to applications that use AppFramework
controllers.

To use this from your `app.php` use `\OC::$server->getContentSecurityPolicyManager()->addDefaultPolicy($policy)`,
$policy has to be of type `\OCP\AppFramework\Http\ContentSecurityPolicy`.

To test this add something like the following into an `app.php` of any enabled app:
```
$manager = \OC::$server->getContentSecurityPolicyManager();
$policy = new \OCP\AppFramework\Http\ContentSecurityPolicy(false);
$policy->addAllowedFrameDomain('asdf');
$policy->addAllowedScriptDomain('yolo.com');

$policy->allowInlineScript(false);
$manager->addDefaultPolicy($policy);
$policy = new \OCP\AppFramework\Http\ContentSecurityPolicy(false);
$policy->addAllowedFontDomain('yolo.com');
$manager->addDefaultPolicy($policy);

$policy = new \OCP\AppFramework\Http\ContentSecurityPolicy(false);
$policy->addAllowedFrameDomain('banana.com');
$manager->addDefaultPolicy($policy);
```

If you now open the files app the policy should be:

```
Content-Security-Policy:default-src 'none';script-src yolo.com 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src yolo.com 'self';connect-src 'self';media-src 'self';frame-src asdf banana.com 'self'
```
 		2016-01-28 18:36:46 +01:00
..
csp Add public API to give developers the possibility to adjust the global CSP defaults 2016-01-28 18:36:46 +01:00
csrf Add new CSRF manager for unit testing purposes 2016-01-25 20:03:40 +01:00
certificate.php Happy new year! 2016-01-12 15:02:18 +01:00
certificatemanager.php Merge pull request #21653 from owncloud/update-license-headers-2016 2016-01-13 08:29:42 +01:00
credentialsmanager.php Introduce CredentialsManager for storage of credentials in DB 2016-01-18 11:10:41 +01:00
crypto.php Happy new year! 2016-01-12 15:02:18 +01:00
hasher.php Happy new year! 2016-01-12 15:02:18 +01:00
securerandom.php Fix usage of PHP method within namespace 2016-01-14 09:24:21 +01:00
trusteddomainhelper.php Happy new year! 2016-01-12 15:02:18 +01:00