Passed
Push — master ( 198b41...933826 )
by Julius
14:31 queued 13s
created
lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php 1 patch
Indentation   +507 added lines, -507 removed lines patch added patch discarded remove patch
@@ -37,511 +37,511 @@
 block discarded – undo
37 37
  * @since 9.0.0
38 38
  */
39 39
 class EmptyContentSecurityPolicy {
40
-	/** @var bool Whether inline JS snippets are allowed */
41
-	protected $inlineScriptAllowed = null;
42
-	/** @var string Whether JS nonces should be used */
43
-	protected $useJsNonce = null;
44
-	/** @var bool Whether strict-dynamic should be used */
45
-	protected $strictDynamicAllowed = null;
46
-	/**
47
-	 * @var bool Whether eval in JS scripts is allowed
48
-	 * TODO: Disallow per default
49
-	 * @link https://github.com/owncloud/core/issues/11925
50
-	 */
51
-	protected $evalScriptAllowed = null;
52
-	/** @var array Domains from which scripts can get loaded */
53
-	protected $allowedScriptDomains = null;
54
-	/**
55
-	 * @var bool Whether inline CSS is allowed
56
-	 * TODO: Disallow per default
57
-	 * @link https://github.com/owncloud/core/issues/13458
58
-	 */
59
-	protected $inlineStyleAllowed = null;
60
-	/** @var array Domains from which CSS can get loaded */
61
-	protected $allowedStyleDomains = null;
62
-	/** @var array Domains from which images can get loaded */
63
-	protected $allowedImageDomains = null;
64
-	/** @var array Domains to which connections can be done */
65
-	protected $allowedConnectDomains = null;
66
-	/** @var array Domains from which media elements can be loaded */
67
-	protected $allowedMediaDomains = null;
68
-	/** @var array Domains from which object elements can be loaded */
69
-	protected $allowedObjectDomains = null;
70
-	/** @var array Domains from which iframes can be loaded */
71
-	protected $allowedFrameDomains = null;
72
-	/** @var array Domains from which fonts can be loaded */
73
-	protected $allowedFontDomains = null;
74
-	/** @var array Domains from which web-workers and nested browsing content can load elements */
75
-	protected $allowedChildSrcDomains = null;
76
-	/** @var array Domains which can embed this Nextcloud instance */
77
-	protected $allowedFrameAncestors = null;
78
-	/** @var array Domains from which web-workers can be loaded */
79
-	protected $allowedWorkerSrcDomains = null;
80
-	/** @var array Domains which can be used as target for forms */
81
-	protected $allowedFormActionDomains = null;
82
-
83
-	/** @var array Locations to report violations to */
84
-	protected $reportTo = null;
85
-
86
-	/**
87
-	 * Whether inline JavaScript snippets are allowed or forbidden
88
-	 * @param bool $state
89
-	 * @return $this
90
-	 * @since 8.1.0
91
-	 * @deprecated 10.0 CSP tokens are now used
92
-	 */
93
-	public function allowInlineScript($state = false) {
94
-		$this->inlineScriptAllowed = $state;
95
-		return $this;
96
-	}
97
-
98
-	/**
99
-	 * @param bool $state
100
-	 * @return EmptyContentSecurityPolicy
101
-	 * @since 24.0.0
102
-	 */
103
-	public function useStrictDynamic(bool $state = false): self {
104
-		$this->strictDynamicAllowed = $state;
105
-		return $this;
106
-	}
107
-
108
-	/**
109
-	 * Use the according JS nonce
110
-	 * This method is only for CSPMiddleware, custom values are ignored in mergePolicies of ContentSecurityPolicyManager
111
-	 *
112
-	 * @param string $nonce
113
-	 * @return $this
114
-	 * @since 11.0.0
115
-	 */
116
-	public function useJsNonce($nonce) {
117
-		$this->useJsNonce = $nonce;
118
-		return $this;
119
-	}
120
-
121
-	/**
122
-	 * Whether eval in JavaScript is allowed or forbidden
123
-	 * @param bool $state
124
-	 * @return $this
125
-	 * @since 8.1.0
126
-	 * @deprecated Eval should not be used anymore. Please update your scripts. This function will stop functioning in a future version of Nextcloud.
127
-	 */
128
-	public function allowEvalScript($state = true) {
129
-		$this->evalScriptAllowed = $state;
130
-		return $this;
131
-	}
132
-
133
-	/**
134
-	 * Allows to execute JavaScript files from a specific domain. Use * to
135
-	 * allow JavaScript from all domains.
136
-	 * @param string $domain Domain to whitelist. Any passed value needs to be properly sanitized.
137
-	 * @return $this
138
-	 * @since 8.1.0
139
-	 */
140
-	public function addAllowedScriptDomain($domain) {
141
-		$this->allowedScriptDomains[] = $domain;
142
-		return $this;
143
-	}
144
-
145
-	/**
146
-	 * Remove the specified allowed script domain from the allowed domains.
147
-	 *
148
-	 * @param string $domain
149
-	 * @return $this
150
-	 * @since 8.1.0
151
-	 */
152
-	public function disallowScriptDomain($domain) {
153
-		$this->allowedScriptDomains = array_diff($this->allowedScriptDomains, [$domain]);
154
-		return $this;
155
-	}
156
-
157
-	/**
158
-	 * Whether inline CSS snippets are allowed or forbidden
159
-	 * @param bool $state
160
-	 * @return $this
161
-	 * @since 8.1.0
162
-	 */
163
-	public function allowInlineStyle($state = true) {
164
-		$this->inlineStyleAllowed = $state;
165
-		return $this;
166
-	}
167
-
168
-	/**
169
-	 * Allows to execute CSS files from a specific domain. Use * to allow
170
-	 * CSS from all domains.
171
-	 * @param string $domain Domain to whitelist. Any passed value needs to be properly sanitized.
172
-	 * @return $this
173
-	 * @since 8.1.0
174
-	 */
175
-	public function addAllowedStyleDomain($domain) {
176
-		$this->allowedStyleDomains[] = $domain;
177
-		return $this;
178
-	}
179
-
180
-	/**
181
-	 * Remove the specified allowed style domain from the allowed domains.
182
-	 *
183
-	 * @param string $domain
184
-	 * @return $this
185
-	 * @since 8.1.0
186
-	 */
187
-	public function disallowStyleDomain($domain) {
188
-		$this->allowedStyleDomains = array_diff($this->allowedStyleDomains, [$domain]);
189
-		return $this;
190
-	}
191
-
192
-	/**
193
-	 * Allows using fonts from a specific domain. Use * to allow
194
-	 * fonts from all domains.
195
-	 * @param string $domain Domain to whitelist. Any passed value needs to be properly sanitized.
196
-	 * @return $this
197
-	 * @since 8.1.0
198
-	 */
199
-	public function addAllowedFontDomain($domain) {
200
-		$this->allowedFontDomains[] = $domain;
201
-		return $this;
202
-	}
203
-
204
-	/**
205
-	 * Remove the specified allowed font domain from the allowed domains.
206
-	 *
207
-	 * @param string $domain
208
-	 * @return $this
209
-	 * @since 8.1.0
210
-	 */
211
-	public function disallowFontDomain($domain) {
212
-		$this->allowedFontDomains = array_diff($this->allowedFontDomains, [$domain]);
213
-		return $this;
214
-	}
215
-
216
-	/**
217
-	 * Allows embedding images from a specific domain. Use * to allow
218
-	 * images from all domains.
219
-	 * @param string $domain Domain to whitelist. Any passed value needs to be properly sanitized.
220
-	 * @return $this
221
-	 * @since 8.1.0
222
-	 */
223
-	public function addAllowedImageDomain($domain) {
224
-		$this->allowedImageDomains[] = $domain;
225
-		return $this;
226
-	}
227
-
228
-	/**
229
-	 * Remove the specified allowed image domain from the allowed domains.
230
-	 *
231
-	 * @param string $domain
232
-	 * @return $this
233
-	 * @since 8.1.0
234
-	 */
235
-	public function disallowImageDomain($domain) {
236
-		$this->allowedImageDomains = array_diff($this->allowedImageDomains, [$domain]);
237
-		return $this;
238
-	}
239
-
240
-	/**
241
-	 * To which remote domains the JS connect to.
242
-	 * @param string $domain Domain to whitelist. Any passed value needs to be properly sanitized.
243
-	 * @return $this
244
-	 * @since 8.1.0
245
-	 */
246
-	public function addAllowedConnectDomain($domain) {
247
-		$this->allowedConnectDomains[] = $domain;
248
-		return $this;
249
-	}
250
-
251
-	/**
252
-	 * Remove the specified allowed connect domain from the allowed domains.
253
-	 *
254
-	 * @param string $domain
255
-	 * @return $this
256
-	 * @since 8.1.0
257
-	 */
258
-	public function disallowConnectDomain($domain) {
259
-		$this->allowedConnectDomains = array_diff($this->allowedConnectDomains, [$domain]);
260
-		return $this;
261
-	}
262
-
263
-	/**
264
-	 * From which domains media elements can be embedded.
265
-	 * @param string $domain Domain to whitelist. Any passed value needs to be properly sanitized.
266
-	 * @return $this
267
-	 * @since 8.1.0
268
-	 */
269
-	public function addAllowedMediaDomain($domain) {
270
-		$this->allowedMediaDomains[] = $domain;
271
-		return $this;
272
-	}
273
-
274
-	/**
275
-	 * Remove the specified allowed media domain from the allowed domains.
276
-	 *
277
-	 * @param string $domain
278
-	 * @return $this
279
-	 * @since 8.1.0
280
-	 */
281
-	public function disallowMediaDomain($domain) {
282
-		$this->allowedMediaDomains = array_diff($this->allowedMediaDomains, [$domain]);
283
-		return $this;
284
-	}
285
-
286
-	/**
287
-	 * From which domains objects such as <object>, <embed> or <applet> are executed
288
-	 * @param string $domain Domain to whitelist. Any passed value needs to be properly sanitized.
289
-	 * @return $this
290
-	 * @since 8.1.0
291
-	 */
292
-	public function addAllowedObjectDomain($domain) {
293
-		$this->allowedObjectDomains[] = $domain;
294
-		return $this;
295
-	}
296
-
297
-	/**
298
-	 * Remove the specified allowed object domain from the allowed domains.
299
-	 *
300
-	 * @param string $domain
301
-	 * @return $this
302
-	 * @since 8.1.0
303
-	 */
304
-	public function disallowObjectDomain($domain) {
305
-		$this->allowedObjectDomains = array_diff($this->allowedObjectDomains, [$domain]);
306
-		return $this;
307
-	}
308
-
309
-	/**
310
-	 * Which domains can be embedded in an iframe
311
-	 * @param string $domain Domain to whitelist. Any passed value needs to be properly sanitized.
312
-	 * @return $this
313
-	 * @since 8.1.0
314
-	 */
315
-	public function addAllowedFrameDomain($domain) {
316
-		$this->allowedFrameDomains[] = $domain;
317
-		return $this;
318
-	}
319
-
320
-	/**
321
-	 * Remove the specified allowed frame domain from the allowed domains.
322
-	 *
323
-	 * @param string $domain
324
-	 * @return $this
325
-	 * @since 8.1.0
326
-	 */
327
-	public function disallowFrameDomain($domain) {
328
-		$this->allowedFrameDomains = array_diff($this->allowedFrameDomains, [$domain]);
329
-		return $this;
330
-	}
331
-
332
-	/**
333
-	 * Domains from which web-workers and nested browsing content can load elements
334
-	 * @param string $domain Domain to whitelist. Any passed value needs to be properly sanitized.
335
-	 * @return $this
336
-	 * @since 8.1.0
337
-	 * @deprecated 15.0.0 use addAllowedWorkerSrcDomains or addAllowedFrameDomain
338
-	 */
339
-	public function addAllowedChildSrcDomain($domain) {
340
-		$this->allowedChildSrcDomains[] = $domain;
341
-		return $this;
342
-	}
343
-
344
-	/**
345
-	 * Remove the specified allowed child src domain from the allowed domains.
346
-	 *
347
-	 * @param string $domain
348
-	 * @return $this
349
-	 * @since 8.1.0
350
-	 * @deprecated 15.0.0 use the WorkerSrcDomains or FrameDomain
351
-	 */
352
-	public function disallowChildSrcDomain($domain) {
353
-		$this->allowedChildSrcDomains = array_diff($this->allowedChildSrcDomains, [$domain]);
354
-		return $this;
355
-	}
356
-
357
-	/**
358
-	 * Domains which can embed an iFrame of the Nextcloud instance
359
-	 *
360
-	 * @param string $domain
361
-	 * @return $this
362
-	 * @since 13.0.0
363
-	 */
364
-	public function addAllowedFrameAncestorDomain($domain) {
365
-		$this->allowedFrameAncestors[] = $domain;
366
-		return $this;
367
-	}
368
-
369
-	/**
370
-	 * Domains which can embed an iFrame of the Nextcloud instance
371
-	 *
372
-	 * @param string $domain
373
-	 * @return $this
374
-	 * @since 13.0.0
375
-	 */
376
-	public function disallowFrameAncestorDomain($domain) {
377
-		$this->allowedFrameAncestors = array_diff($this->allowedFrameAncestors, [$domain]);
378
-		return $this;
379
-	}
380
-
381
-	/**
382
-	 * Domain from which workers can be loaded
383
-	 *
384
-	 * @param string $domain
385
-	 * @return $this
386
-	 * @since 15.0.0
387
-	 */
388
-	public function addAllowedWorkerSrcDomain(string $domain) {
389
-		$this->allowedWorkerSrcDomains[] = $domain;
390
-		return $this;
391
-	}
392
-
393
-	/**
394
-	 * Remove domain from which workers can be loaded
395
-	 *
396
-	 * @param string $domain
397
-	 * @return $this
398
-	 * @since 15.0.0
399
-	 */
400
-	public function disallowWorkerSrcDomain(string $domain) {
401
-		$this->allowedWorkerSrcDomains = array_diff($this->allowedWorkerSrcDomains, [$domain]);
402
-		return $this;
403
-	}
404
-
405
-	/**
406
-	 * Domain to where forms can submit
407
-	 *
408
-	 * @since 17.0.0
409
-	 *
410
-	 * @return $this
411
-	 */
412
-	public function addAllowedFormActionDomain(string $domain) {
413
-		$this->allowedFormActionDomains[] = $domain;
414
-		return $this;
415
-	}
416
-
417
-	/**
418
-	 * Remove domain to where forms can submit
419
-	 *
420
-	 * @return $this
421
-	 * @since 17.0.0
422
-	 */
423
-	public function disallowFormActionDomain(string $domain) {
424
-		$this->allowedFormActionDomains = array_diff($this->allowedFormActionDomains, [$domain]);
425
-		return $this;
426
-	}
427
-
428
-	/**
429
-	 * Add location to report CSP violations to
430
-	 *
431
-	 * @param string $location
432
-	 * @return $this
433
-	 * @since 15.0.0
434
-	 */
435
-	public function addReportTo(string $location) {
436
-		$this->reportTo[] = $location;
437
-		return $this;
438
-	}
439
-
440
-	/**
441
-	 * Get the generated Content-Security-Policy as a string
442
-	 * @return string
443
-	 * @since 8.1.0
444
-	 */
445
-	public function buildPolicy() {
446
-		$policy = "default-src 'none';";
447
-		$policy .= "base-uri 'none';";
448
-		$policy .= "manifest-src 'self';";
449
-
450
-		if (!empty($this->allowedScriptDomains) || $this->inlineScriptAllowed || $this->evalScriptAllowed) {
451
-			$policy .= 'script-src ';
452
-			if (is_string($this->useJsNonce)) {
453
-				if ($this->strictDynamicAllowed) {
454
-					$policy .= '\'strict-dynamic\' ';
455
-				}
456
-				$policy .= '\'nonce-'.base64_encode($this->useJsNonce).'\'';
457
-				$allowedScriptDomains = array_flip($this->allowedScriptDomains);
458
-				unset($allowedScriptDomains['\'self\'']);
459
-				$this->allowedScriptDomains = array_flip($allowedScriptDomains);
460
-				if (count($allowedScriptDomains) !== 0) {
461
-					$policy .= ' ';
462
-				}
463
-			}
464
-			if (is_array($this->allowedScriptDomains)) {
465
-				$policy .= implode(' ', $this->allowedScriptDomains);
466
-			}
467
-			if ($this->inlineScriptAllowed) {
468
-				$policy .= ' \'unsafe-inline\'';
469
-			}
470
-			if ($this->evalScriptAllowed) {
471
-				$policy .= ' \'unsafe-eval\'';
472
-			}
473
-			$policy .= ';';
474
-		}
475
-
476
-		if (!empty($this->allowedStyleDomains) || $this->inlineStyleAllowed) {
477
-			$policy .= 'style-src ';
478
-			if (is_array($this->allowedStyleDomains)) {
479
-				$policy .= implode(' ', $this->allowedStyleDomains);
480
-			}
481
-			if ($this->inlineStyleAllowed) {
482
-				$policy .= ' \'unsafe-inline\'';
483
-			}
484
-			$policy .= ';';
485
-		}
486
-
487
-		if (!empty($this->allowedImageDomains)) {
488
-			$policy .= 'img-src ' . implode(' ', $this->allowedImageDomains);
489
-			$policy .= ';';
490
-		}
491
-
492
-		if (!empty($this->allowedFontDomains)) {
493
-			$policy .= 'font-src ' . implode(' ', $this->allowedFontDomains);
494
-			$policy .= ';';
495
-		}
496
-
497
-		if (!empty($this->allowedConnectDomains)) {
498
-			$policy .= 'connect-src ' . implode(' ', $this->allowedConnectDomains);
499
-			$policy .= ';';
500
-		}
501
-
502
-		if (!empty($this->allowedMediaDomains)) {
503
-			$policy .= 'media-src ' . implode(' ', $this->allowedMediaDomains);
504
-			$policy .= ';';
505
-		}
506
-
507
-		if (!empty($this->allowedObjectDomains)) {
508
-			$policy .= 'object-src ' . implode(' ', $this->allowedObjectDomains);
509
-			$policy .= ';';
510
-		}
511
-
512
-		if (!empty($this->allowedFrameDomains)) {
513
-			$policy .= 'frame-src ';
514
-			$policy .= implode(' ', $this->allowedFrameDomains);
515
-			$policy .= ';';
516
-		}
517
-
518
-		if (!empty($this->allowedChildSrcDomains)) {
519
-			$policy .= 'child-src ' . implode(' ', $this->allowedChildSrcDomains);
520
-			$policy .= ';';
521
-		}
522
-
523
-		if (!empty($this->allowedFrameAncestors)) {
524
-			$policy .= 'frame-ancestors ' . implode(' ', $this->allowedFrameAncestors);
525
-			$policy .= ';';
526
-		} else {
527
-			$policy .= 'frame-ancestors \'none\';';
528
-		}
529
-
530
-		if (!empty($this->allowedWorkerSrcDomains)) {
531
-			$policy .= 'worker-src ' . implode(' ', $this->allowedWorkerSrcDomains);
532
-			$policy .= ';';
533
-		}
534
-
535
-		if (!empty($this->allowedFormActionDomains)) {
536
-			$policy .= 'form-action ' . implode(' ', $this->allowedFormActionDomains);
537
-			$policy .= ';';
538
-		}
539
-
540
-		if (!empty($this->reportTo)) {
541
-			$policy .= 'report-uri ' . implode(' ', $this->reportTo);
542
-			$policy .= ';';
543
-		}
544
-
545
-		return rtrim($policy, ';');
546
-	}
40
+    /** @var bool Whether inline JS snippets are allowed */
41
+    protected $inlineScriptAllowed = null;
42
+    /** @var string Whether JS nonces should be used */
43
+    protected $useJsNonce = null;
44
+    /** @var bool Whether strict-dynamic should be used */
45
+    protected $strictDynamicAllowed = null;
46
+    /**
47
+     * @var bool Whether eval in JS scripts is allowed
48
+     * TODO: Disallow per default
49
+     * @link https://github.com/owncloud/core/issues/11925
50
+     */
51
+    protected $evalScriptAllowed = null;
52
+    /** @var array Domains from which scripts can get loaded */
53
+    protected $allowedScriptDomains = null;
54
+    /**
55
+     * @var bool Whether inline CSS is allowed
56
+     * TODO: Disallow per default
57
+     * @link https://github.com/owncloud/core/issues/13458
58
+     */
59
+    protected $inlineStyleAllowed = null;
60
+    /** @var array Domains from which CSS can get loaded */
61
+    protected $allowedStyleDomains = null;
62
+    /** @var array Domains from which images can get loaded */
63
+    protected $allowedImageDomains = null;
64
+    /** @var array Domains to which connections can be done */
65
+    protected $allowedConnectDomains = null;
66
+    /** @var array Domains from which media elements can be loaded */
67
+    protected $allowedMediaDomains = null;
68
+    /** @var array Domains from which object elements can be loaded */
69
+    protected $allowedObjectDomains = null;
70
+    /** @var array Domains from which iframes can be loaded */
71
+    protected $allowedFrameDomains = null;
72
+    /** @var array Domains from which fonts can be loaded */
73
+    protected $allowedFontDomains = null;
74
+    /** @var array Domains from which web-workers and nested browsing content can load elements */
75
+    protected $allowedChildSrcDomains = null;
76
+    /** @var array Domains which can embed this Nextcloud instance */
77
+    protected $allowedFrameAncestors = null;
78
+    /** @var array Domains from which web-workers can be loaded */
79
+    protected $allowedWorkerSrcDomains = null;
80
+    /** @var array Domains which can be used as target for forms */
81
+    protected $allowedFormActionDomains = null;
82
+
83
+    /** @var array Locations to report violations to */
84
+    protected $reportTo = null;
85
+
86
+    /**
87
+     * Whether inline JavaScript snippets are allowed or forbidden
88
+     * @param bool $state
89
+     * @return $this
90
+     * @since 8.1.0
91
+     * @deprecated 10.0 CSP tokens are now used
92
+     */
93
+    public function allowInlineScript($state = false) {
94
+        $this->inlineScriptAllowed = $state;
95
+        return $this;
96
+    }
97
+
98
+    /**
99
+     * @param bool $state
100
+     * @return EmptyContentSecurityPolicy
101
+     * @since 24.0.0
102
+     */
103
+    public function useStrictDynamic(bool $state = false): self {
104
+        $this->strictDynamicAllowed = $state;
105
+        return $this;
106
+    }
107
+
108
+    /**
109
+     * Use the according JS nonce
110
+     * This method is only for CSPMiddleware, custom values are ignored in mergePolicies of ContentSecurityPolicyManager
111
+     *
112
+     * @param string $nonce
113
+     * @return $this
114
+     * @since 11.0.0
115
+     */
116
+    public function useJsNonce($nonce) {
117
+        $this->useJsNonce = $nonce;
118
+        return $this;
119
+    }
120
+
121
+    /**
122
+     * Whether eval in JavaScript is allowed or forbidden
123
+     * @param bool $state
124
+     * @return $this
125
+     * @since 8.1.0
126
+     * @deprecated Eval should not be used anymore. Please update your scripts. This function will stop functioning in a future version of Nextcloud.
127
+     */
128
+    public function allowEvalScript($state = true) {
129
+        $this->evalScriptAllowed = $state;
130
+        return $this;
131
+    }
132
+
133
+    /**
134
+     * Allows to execute JavaScript files from a specific domain. Use * to
135
+     * allow JavaScript from all domains.
136
+     * @param string $domain Domain to whitelist. Any passed value needs to be properly sanitized.
137
+     * @return $this
138
+     * @since 8.1.0
139
+     */
140
+    public function addAllowedScriptDomain($domain) {
141
+        $this->allowedScriptDomains[] = $domain;
142
+        return $this;
143
+    }
144
+
145
+    /**
146
+     * Remove the specified allowed script domain from the allowed domains.
147
+     *
148
+     * @param string $domain
149
+     * @return $this
150
+     * @since 8.1.0
151
+     */
152
+    public function disallowScriptDomain($domain) {
153
+        $this->allowedScriptDomains = array_diff($this->allowedScriptDomains, [$domain]);
154
+        return $this;
155
+    }
156
+
157
+    /**
158
+     * Whether inline CSS snippets are allowed or forbidden
159
+     * @param bool $state
160
+     * @return $this
161
+     * @since 8.1.0
162
+     */
163
+    public function allowInlineStyle($state = true) {
164
+        $this->inlineStyleAllowed = $state;
165
+        return $this;
166
+    }
167
+
168
+    /**
169
+     * Allows to execute CSS files from a specific domain. Use * to allow
170
+     * CSS from all domains.
171
+     * @param string $domain Domain to whitelist. Any passed value needs to be properly sanitized.
172
+     * @return $this
173
+     * @since 8.1.0
174
+     */
175
+    public function addAllowedStyleDomain($domain) {
176
+        $this->allowedStyleDomains[] = $domain;
177
+        return $this;
178
+    }
179
+
180
+    /**
181
+     * Remove the specified allowed style domain from the allowed domains.
182
+     *
183
+     * @param string $domain
184
+     * @return $this
185
+     * @since 8.1.0
186
+     */
187
+    public function disallowStyleDomain($domain) {
188
+        $this->allowedStyleDomains = array_diff($this->allowedStyleDomains, [$domain]);
189
+        return $this;
190
+    }
191
+
192
+    /**
193
+     * Allows using fonts from a specific domain. Use * to allow
194
+     * fonts from all domains.
195
+     * @param string $domain Domain to whitelist. Any passed value needs to be properly sanitized.
196
+     * @return $this
197
+     * @since 8.1.0
198
+     */
199
+    public function addAllowedFontDomain($domain) {
200
+        $this->allowedFontDomains[] = $domain;
201
+        return $this;
202
+    }
203
+
204
+    /**
205
+     * Remove the specified allowed font domain from the allowed domains.
206
+     *
207
+     * @param string $domain
208
+     * @return $this
209
+     * @since 8.1.0
210
+     */
211
+    public function disallowFontDomain($domain) {
212
+        $this->allowedFontDomains = array_diff($this->allowedFontDomains, [$domain]);
213
+        return $this;
214
+    }
215
+
216
+    /**
217
+     * Allows embedding images from a specific domain. Use * to allow
218
+     * images from all domains.
219
+     * @param string $domain Domain to whitelist. Any passed value needs to be properly sanitized.
220
+     * @return $this
221
+     * @since 8.1.0
222
+     */
223
+    public function addAllowedImageDomain($domain) {
224
+        $this->allowedImageDomains[] = $domain;
225
+        return $this;
226
+    }
227
+
228
+    /**
229
+     * Remove the specified allowed image domain from the allowed domains.
230
+     *
231
+     * @param string $domain
232
+     * @return $this
233
+     * @since 8.1.0
234
+     */
235
+    public function disallowImageDomain($domain) {
236
+        $this->allowedImageDomains = array_diff($this->allowedImageDomains, [$domain]);
237
+        return $this;
238
+    }
239
+
240
+    /**
241
+     * To which remote domains the JS connect to.
242
+     * @param string $domain Domain to whitelist. Any passed value needs to be properly sanitized.
243
+     * @return $this
244
+     * @since 8.1.0
245
+     */
246
+    public function addAllowedConnectDomain($domain) {
247
+        $this->allowedConnectDomains[] = $domain;
248
+        return $this;
249
+    }
250
+
251
+    /**
252
+     * Remove the specified allowed connect domain from the allowed domains.
253
+     *
254
+     * @param string $domain
255
+     * @return $this
256
+     * @since 8.1.0
257
+     */
258
+    public function disallowConnectDomain($domain) {
259
+        $this->allowedConnectDomains = array_diff($this->allowedConnectDomains, [$domain]);
260
+        return $this;
261
+    }
262
+
263
+    /**
264
+     * From which domains media elements can be embedded.
265
+     * @param string $domain Domain to whitelist. Any passed value needs to be properly sanitized.
266
+     * @return $this
267
+     * @since 8.1.0
268
+     */
269
+    public function addAllowedMediaDomain($domain) {
270
+        $this->allowedMediaDomains[] = $domain;
271
+        return $this;
272
+    }
273
+
274
+    /**
275
+     * Remove the specified allowed media domain from the allowed domains.
276
+     *
277
+     * @param string $domain
278
+     * @return $this
279
+     * @since 8.1.0
280
+     */
281
+    public function disallowMediaDomain($domain) {
282
+        $this->allowedMediaDomains = array_diff($this->allowedMediaDomains, [$domain]);
283
+        return $this;
284
+    }
285
+
286
+    /**
287
+     * From which domains objects such as <object>, <embed> or <applet> are executed
288
+     * @param string $domain Domain to whitelist. Any passed value needs to be properly sanitized.
289
+     * @return $this
290
+     * @since 8.1.0
291
+     */
292
+    public function addAllowedObjectDomain($domain) {
293
+        $this->allowedObjectDomains[] = $domain;
294
+        return $this;
295
+    }
296
+
297
+    /**
298
+     * Remove the specified allowed object domain from the allowed domains.
299
+     *
300
+     * @param string $domain
301
+     * @return $this
302
+     * @since 8.1.0
303
+     */
304
+    public function disallowObjectDomain($domain) {
305
+        $this->allowedObjectDomains = array_diff($this->allowedObjectDomains, [$domain]);
306
+        return $this;
307
+    }
308
+
309
+    /**
310
+     * Which domains can be embedded in an iframe
311
+     * @param string $domain Domain to whitelist. Any passed value needs to be properly sanitized.
312
+     * @return $this
313
+     * @since 8.1.0
314
+     */
315
+    public function addAllowedFrameDomain($domain) {
316
+        $this->allowedFrameDomains[] = $domain;
317
+        return $this;
318
+    }
319
+
320
+    /**
321
+     * Remove the specified allowed frame domain from the allowed domains.
322
+     *
323
+     * @param string $domain
324
+     * @return $this
325
+     * @since 8.1.0
326
+     */
327
+    public function disallowFrameDomain($domain) {
328
+        $this->allowedFrameDomains = array_diff($this->allowedFrameDomains, [$domain]);
329
+        return $this;
330
+    }
331
+
332
+    /**
333
+     * Domains from which web-workers and nested browsing content can load elements
334
+     * @param string $domain Domain to whitelist. Any passed value needs to be properly sanitized.
335
+     * @return $this
336
+     * @since 8.1.0
337
+     * @deprecated 15.0.0 use addAllowedWorkerSrcDomains or addAllowedFrameDomain
338
+     */
339
+    public function addAllowedChildSrcDomain($domain) {
340
+        $this->allowedChildSrcDomains[] = $domain;
341
+        return $this;
342
+    }
343
+
344
+    /**
345
+     * Remove the specified allowed child src domain from the allowed domains.
346
+     *
347
+     * @param string $domain
348
+     * @return $this
349
+     * @since 8.1.0
350
+     * @deprecated 15.0.0 use the WorkerSrcDomains or FrameDomain
351
+     */
352
+    public function disallowChildSrcDomain($domain) {
353
+        $this->allowedChildSrcDomains = array_diff($this->allowedChildSrcDomains, [$domain]);
354
+        return $this;
355
+    }
356
+
357
+    /**
358
+     * Domains which can embed an iFrame of the Nextcloud instance
359
+     *
360
+     * @param string $domain
361
+     * @return $this
362
+     * @since 13.0.0
363
+     */
364
+    public function addAllowedFrameAncestorDomain($domain) {
365
+        $this->allowedFrameAncestors[] = $domain;
366
+        return $this;
367
+    }
368
+
369
+    /**
370
+     * Domains which can embed an iFrame of the Nextcloud instance
371
+     *
372
+     * @param string $domain
373
+     * @return $this
374
+     * @since 13.0.0
375
+     */
376
+    public function disallowFrameAncestorDomain($domain) {
377
+        $this->allowedFrameAncestors = array_diff($this->allowedFrameAncestors, [$domain]);
378
+        return $this;
379
+    }
380
+
381
+    /**
382
+     * Domain from which workers can be loaded
383
+     *
384
+     * @param string $domain
385
+     * @return $this
386
+     * @since 15.0.0
387
+     */
388
+    public function addAllowedWorkerSrcDomain(string $domain) {
389
+        $this->allowedWorkerSrcDomains[] = $domain;
390
+        return $this;
391
+    }
392
+
393
+    /**
394
+     * Remove domain from which workers can be loaded
395
+     *
396
+     * @param string $domain
397
+     * @return $this
398
+     * @since 15.0.0
399
+     */
400
+    public function disallowWorkerSrcDomain(string $domain) {
401
+        $this->allowedWorkerSrcDomains = array_diff($this->allowedWorkerSrcDomains, [$domain]);
402
+        return $this;
403
+    }
404
+
405
+    /**
406
+     * Domain to where forms can submit
407
+     *
408
+     * @since 17.0.0
409
+     *
410
+     * @return $this
411
+     */
412
+    public function addAllowedFormActionDomain(string $domain) {
413
+        $this->allowedFormActionDomains[] = $domain;
414
+        return $this;
415
+    }
416
+
417
+    /**
418
+     * Remove domain to where forms can submit
419
+     *
420
+     * @return $this
421
+     * @since 17.0.0
422
+     */
423
+    public function disallowFormActionDomain(string $domain) {
424
+        $this->allowedFormActionDomains = array_diff($this->allowedFormActionDomains, [$domain]);
425
+        return $this;
426
+    }
427
+
428
+    /**
429
+     * Add location to report CSP violations to
430
+     *
431
+     * @param string $location
432
+     * @return $this
433
+     * @since 15.0.0
434
+     */
435
+    public function addReportTo(string $location) {
436
+        $this->reportTo[] = $location;
437
+        return $this;
438
+    }
439
+
440
+    /**
441
+     * Get the generated Content-Security-Policy as a string
442
+     * @return string
443
+     * @since 8.1.0
444
+     */
445
+    public function buildPolicy() {
446
+        $policy = "default-src 'none';";
447
+        $policy .= "base-uri 'none';";
448
+        $policy .= "manifest-src 'self';";
449
+
450
+        if (!empty($this->allowedScriptDomains) || $this->inlineScriptAllowed || $this->evalScriptAllowed) {
451
+            $policy .= 'script-src ';
452
+            if (is_string($this->useJsNonce)) {
453
+                if ($this->strictDynamicAllowed) {
454
+                    $policy .= '\'strict-dynamic\' ';
455
+                }
456
+                $policy .= '\'nonce-'.base64_encode($this->useJsNonce).'\'';
457
+                $allowedScriptDomains = array_flip($this->allowedScriptDomains);
458
+                unset($allowedScriptDomains['\'self\'']);
459
+                $this->allowedScriptDomains = array_flip($allowedScriptDomains);
460
+                if (count($allowedScriptDomains) !== 0) {
461
+                    $policy .= ' ';
462
+                }
463
+            }
464
+            if (is_array($this->allowedScriptDomains)) {
465
+                $policy .= implode(' ', $this->allowedScriptDomains);
466
+            }
467
+            if ($this->inlineScriptAllowed) {
468
+                $policy .= ' \'unsafe-inline\'';
469
+            }
470
+            if ($this->evalScriptAllowed) {
471
+                $policy .= ' \'unsafe-eval\'';
472
+            }
473
+            $policy .= ';';
474
+        }
475
+
476
+        if (!empty($this->allowedStyleDomains) || $this->inlineStyleAllowed) {
477
+            $policy .= 'style-src ';
478
+            if (is_array($this->allowedStyleDomains)) {
479
+                $policy .= implode(' ', $this->allowedStyleDomains);
480
+            }
481
+            if ($this->inlineStyleAllowed) {
482
+                $policy .= ' \'unsafe-inline\'';
483
+            }
484
+            $policy .= ';';
485
+        }
486
+
487
+        if (!empty($this->allowedImageDomains)) {
488
+            $policy .= 'img-src ' . implode(' ', $this->allowedImageDomains);
489
+            $policy .= ';';
490
+        }
491
+
492
+        if (!empty($this->allowedFontDomains)) {
493
+            $policy .= 'font-src ' . implode(' ', $this->allowedFontDomains);
494
+            $policy .= ';';
495
+        }
496
+
497
+        if (!empty($this->allowedConnectDomains)) {
498
+            $policy .= 'connect-src ' . implode(' ', $this->allowedConnectDomains);
499
+            $policy .= ';';
500
+        }
501
+
502
+        if (!empty($this->allowedMediaDomains)) {
503
+            $policy .= 'media-src ' . implode(' ', $this->allowedMediaDomains);
504
+            $policy .= ';';
505
+        }
506
+
507
+        if (!empty($this->allowedObjectDomains)) {
508
+            $policy .= 'object-src ' . implode(' ', $this->allowedObjectDomains);
509
+            $policy .= ';';
510
+        }
511
+
512
+        if (!empty($this->allowedFrameDomains)) {
513
+            $policy .= 'frame-src ';
514
+            $policy .= implode(' ', $this->allowedFrameDomains);
515
+            $policy .= ';';
516
+        }
517
+
518
+        if (!empty($this->allowedChildSrcDomains)) {
519
+            $policy .= 'child-src ' . implode(' ', $this->allowedChildSrcDomains);
520
+            $policy .= ';';
521
+        }
522
+
523
+        if (!empty($this->allowedFrameAncestors)) {
524
+            $policy .= 'frame-ancestors ' . implode(' ', $this->allowedFrameAncestors);
525
+            $policy .= ';';
526
+        } else {
527
+            $policy .= 'frame-ancestors \'none\';';
528
+        }
529
+
530
+        if (!empty($this->allowedWorkerSrcDomains)) {
531
+            $policy .= 'worker-src ' . implode(' ', $this->allowedWorkerSrcDomains);
532
+            $policy .= ';';
533
+        }
534
+
535
+        if (!empty($this->allowedFormActionDomains)) {
536
+            $policy .= 'form-action ' . implode(' ', $this->allowedFormActionDomains);
537
+            $policy .= ';';
538
+        }
539
+
540
+        if (!empty($this->reportTo)) {
541
+            $policy .= 'report-uri ' . implode(' ', $this->reportTo);
542
+            $policy .= ';';
543
+        }
544
+
545
+        return rtrim($policy, ';');
546
+    }
547 547
 }
Please login to merge, or discard this patch.
lib/public/AppFramework/Http/ContentSecurityPolicy.php 1 patch
Indentation   +57 added lines, -57 removed lines patch added patch discarded remove patch
@@ -40,65 +40,65 @@
 block discarded – undo
40 40
  * @since 8.1.0
41 41
  */
42 42
 class ContentSecurityPolicy extends EmptyContentSecurityPolicy {
43
-	/** @var bool Whether inline JS snippets are allowed */
44
-	protected $inlineScriptAllowed = false;
45
-	/** @var bool Whether eval in JS scripts is allowed */
46
-	protected $evalScriptAllowed = false;
47
-	/** @var bool Whether strict-dynamic should be set */
48
-	protected $strictDynamicAllowed = null;
49
-	/** @var array Domains from which scripts can get loaded */
50
-	protected $allowedScriptDomains = [
51
-		'\'self\'',
52
-	];
53
-	/**
54
-	 * @var bool Whether inline CSS is allowed
55
-	 * TODO: Disallow per default
56
-	 * @link https://github.com/owncloud/core/issues/13458
57
-	 */
58
-	protected $inlineStyleAllowed = true;
59
-	/** @var array Domains from which CSS can get loaded */
60
-	protected $allowedStyleDomains = [
61
-		'\'self\'',
62
-	];
63
-	/** @var array Domains from which images can get loaded */
64
-	protected $allowedImageDomains = [
65
-		'\'self\'',
66
-		'data:',
67
-		'blob:',
68
-	];
69
-	/** @var array Domains to which connections can be done */
70
-	protected $allowedConnectDomains = [
71
-		'\'self\'',
72
-	];
73
-	/** @var array Domains from which media elements can be loaded */
74
-	protected $allowedMediaDomains = [
75
-		'\'self\'',
76
-	];
77
-	/** @var array Domains from which object elements can be loaded */
78
-	protected $allowedObjectDomains = [];
79
-	/** @var array Domains from which iframes can be loaded */
80
-	protected $allowedFrameDomains = [];
81
-	/** @var array Domains from which fonts can be loaded */
82
-	protected $allowedFontDomains = [
83
-		'\'self\'',
84
-		'data:',
85
-	];
86
-	/** @var array Domains from which web-workers and nested browsing content can load elements */
87
-	protected $allowedChildSrcDomains = [];
43
+    /** @var bool Whether inline JS snippets are allowed */
44
+    protected $inlineScriptAllowed = false;
45
+    /** @var bool Whether eval in JS scripts is allowed */
46
+    protected $evalScriptAllowed = false;
47
+    /** @var bool Whether strict-dynamic should be set */
48
+    protected $strictDynamicAllowed = null;
49
+    /** @var array Domains from which scripts can get loaded */
50
+    protected $allowedScriptDomains = [
51
+        '\'self\'',
52
+    ];
53
+    /**
54
+     * @var bool Whether inline CSS is allowed
55
+     * TODO: Disallow per default
56
+     * @link https://github.com/owncloud/core/issues/13458
57
+     */
58
+    protected $inlineStyleAllowed = true;
59
+    /** @var array Domains from which CSS can get loaded */
60
+    protected $allowedStyleDomains = [
61
+        '\'self\'',
62
+    ];
63
+    /** @var array Domains from which images can get loaded */
64
+    protected $allowedImageDomains = [
65
+        '\'self\'',
66
+        'data:',
67
+        'blob:',
68
+    ];
69
+    /** @var array Domains to which connections can be done */
70
+    protected $allowedConnectDomains = [
71
+        '\'self\'',
72
+    ];
73
+    /** @var array Domains from which media elements can be loaded */
74
+    protected $allowedMediaDomains = [
75
+        '\'self\'',
76
+    ];
77
+    /** @var array Domains from which object elements can be loaded */
78
+    protected $allowedObjectDomains = [];
79
+    /** @var array Domains from which iframes can be loaded */
80
+    protected $allowedFrameDomains = [];
81
+    /** @var array Domains from which fonts can be loaded */
82
+    protected $allowedFontDomains = [
83
+        '\'self\'',
84
+        'data:',
85
+    ];
86
+    /** @var array Domains from which web-workers and nested browsing content can load elements */
87
+    protected $allowedChildSrcDomains = [];
88 88
 
89
-	/** @var array Domains which can embed this Nextcloud instance */
90
-	protected $allowedFrameAncestors = [
91
-		'\'self\'',
92
-	];
89
+    /** @var array Domains which can embed this Nextcloud instance */
90
+    protected $allowedFrameAncestors = [
91
+        '\'self\'',
92
+    ];
93 93
 
94
-	/** @var array Domains from which web-workers can be loaded */
95
-	protected $allowedWorkerSrcDomains = [];
94
+    /** @var array Domains from which web-workers can be loaded */
95
+    protected $allowedWorkerSrcDomains = [];
96 96
 
97
-	/** @var array Domains which can be used as target for forms */
98
-	protected $allowedFormActionDomains = [
99
-		'\'self\'',
100
-	];
97
+    /** @var array Domains which can be used as target for forms */
98
+    protected $allowedFormActionDomains = [
99
+        '\'self\'',
100
+    ];
101 101
 
102
-	/** @var array Locations to report violations to */
103
-	protected $reportTo = [];
102
+    /** @var array Locations to report violations to */
103
+    protected $reportTo = [];
104 104
 }
Please login to merge, or discard this patch.
lib/private/Security/CSP/ContentSecurityPolicy.php 1 patch
Indentation   +217 added lines, -217 removed lines patch added patch discarded remove patch
@@ -34,221 +34,221 @@
 block discarded – undo
34 34
  * @package OC\Security\CSP
35 35
  */
36 36
 class ContentSecurityPolicy extends \OCP\AppFramework\Http\ContentSecurityPolicy {
37
-	/**
38
-	 * @return boolean
39
-	 */
40
-	public function isInlineScriptAllowed(): bool {
41
-		return $this->inlineScriptAllowed;
42
-	}
43
-
44
-	/**
45
-	 * @param boolean $inlineScriptAllowed
46
-	 */
47
-	public function setInlineScriptAllowed(bool $inlineScriptAllowed) {
48
-		$this->inlineScriptAllowed = $inlineScriptAllowed;
49
-	}
50
-
51
-	/**
52
-	 * @return boolean
53
-	 */
54
-	public function isEvalScriptAllowed(): bool {
55
-		return $this->evalScriptAllowed;
56
-	}
57
-
58
-	/**
59
-	 * @param boolean $evalScriptAllowed
60
-	 *
61
-	 * @deprecated 17.0.0 Unsafe eval should not be used anymore.
62
-	 */
63
-	public function setEvalScriptAllowed(bool $evalScriptAllowed) {
64
-		$this->evalScriptAllowed = $evalScriptAllowed;
65
-	}
66
-
67
-	/**
68
-	 * @return array
69
-	 */
70
-	public function getAllowedScriptDomains(): array {
71
-		return $this->allowedScriptDomains;
72
-	}
73
-
74
-	/**
75
-	 * @param array $allowedScriptDomains
76
-	 */
77
-	public function setAllowedScriptDomains(array $allowedScriptDomains) {
78
-		$this->allowedScriptDomains = $allowedScriptDomains;
79
-	}
80
-
81
-	/**
82
-	 * @return boolean
83
-	 */
84
-	public function isInlineStyleAllowed(): bool {
85
-		return $this->inlineStyleAllowed;
86
-	}
87
-
88
-	/**
89
-	 * @param boolean $inlineStyleAllowed
90
-	 */
91
-	public function setInlineStyleAllowed(bool $inlineStyleAllowed) {
92
-		$this->inlineStyleAllowed = $inlineStyleAllowed;
93
-	}
94
-
95
-	/**
96
-	 * @return array
97
-	 */
98
-	public function getAllowedStyleDomains(): array {
99
-		return $this->allowedStyleDomains;
100
-	}
101
-
102
-	/**
103
-	 * @param array $allowedStyleDomains
104
-	 */
105
-	public function setAllowedStyleDomains(array $allowedStyleDomains) {
106
-		$this->allowedStyleDomains = $allowedStyleDomains;
107
-	}
108
-
109
-	/**
110
-	 * @return array
111
-	 */
112
-	public function getAllowedImageDomains(): array {
113
-		return $this->allowedImageDomains;
114
-	}
115
-
116
-	/**
117
-	 * @param array $allowedImageDomains
118
-	 */
119
-	public function setAllowedImageDomains(array $allowedImageDomains) {
120
-		$this->allowedImageDomains = $allowedImageDomains;
121
-	}
122
-
123
-	/**
124
-	 * @return array
125
-	 */
126
-	public function getAllowedConnectDomains(): array {
127
-		return $this->allowedConnectDomains;
128
-	}
129
-
130
-	/**
131
-	 * @param array $allowedConnectDomains
132
-	 */
133
-	public function setAllowedConnectDomains(array $allowedConnectDomains) {
134
-		$this->allowedConnectDomains = $allowedConnectDomains;
135
-	}
136
-
137
-	/**
138
-	 * @return array
139
-	 */
140
-	public function getAllowedMediaDomains(): array {
141
-		return $this->allowedMediaDomains;
142
-	}
143
-
144
-	/**
145
-	 * @param array $allowedMediaDomains
146
-	 */
147
-	public function setAllowedMediaDomains(array $allowedMediaDomains) {
148
-		$this->allowedMediaDomains = $allowedMediaDomains;
149
-	}
150
-
151
-	/**
152
-	 * @return array
153
-	 */
154
-	public function getAllowedObjectDomains(): array {
155
-		return $this->allowedObjectDomains;
156
-	}
157
-
158
-	/**
159
-	 * @param array $allowedObjectDomains
160
-	 */
161
-	public function setAllowedObjectDomains(array $allowedObjectDomains) {
162
-		$this->allowedObjectDomains = $allowedObjectDomains;
163
-	}
164
-
165
-	/**
166
-	 * @return array
167
-	 */
168
-	public function getAllowedFrameDomains(): array {
169
-		return $this->allowedFrameDomains;
170
-	}
171
-
172
-	/**
173
-	 * @param array $allowedFrameDomains
174
-	 */
175
-	public function setAllowedFrameDomains(array $allowedFrameDomains) {
176
-		$this->allowedFrameDomains = $allowedFrameDomains;
177
-	}
178
-
179
-	/**
180
-	 * @return array
181
-	 */
182
-	public function getAllowedFontDomains(): array {
183
-		return $this->allowedFontDomains;
184
-	}
185
-
186
-	/**
187
-	 * @param array $allowedFontDomains
188
-	 */
189
-	public function setAllowedFontDomains($allowedFontDomains) {
190
-		$this->allowedFontDomains = $allowedFontDomains;
191
-	}
192
-
193
-	/**
194
-	 * @return array
195
-	 * @deprecated 15.0.0 use FrameDomains and WorkerSrcDomains
196
-	 */
197
-	public function getAllowedChildSrcDomains(): array {
198
-		return $this->allowedChildSrcDomains;
199
-	}
200
-
201
-	/**
202
-	 * @param array $allowedChildSrcDomains
203
-	 * @deprecated 15.0.0 use FrameDomains and WorkerSrcDomains
204
-	 */
205
-	public function setAllowedChildSrcDomains($allowedChildSrcDomains) {
206
-		$this->allowedChildSrcDomains = $allowedChildSrcDomains;
207
-	}
208
-
209
-	/**
210
-	 * @return array
211
-	 */
212
-	public function getAllowedFrameAncestors(): array {
213
-		return $this->allowedFrameAncestors;
214
-	}
215
-
216
-	/**
217
-	 * @param array $allowedFrameAncestors
218
-	 */
219
-	public function setAllowedFrameAncestors($allowedFrameAncestors) {
220
-		$this->allowedFrameAncestors = $allowedFrameAncestors;
221
-	}
222
-
223
-	public function getAllowedWorkerSrcDomains(): array {
224
-		return $this->allowedWorkerSrcDomains;
225
-	}
226
-
227
-	public function setAllowedWorkerSrcDomains(array $allowedWorkerSrcDomains) {
228
-		$this->allowedWorkerSrcDomains = $allowedWorkerSrcDomains;
229
-	}
230
-
231
-	public function getAllowedFormActionDomains(): array {
232
-		return $this->allowedFormActionDomains;
233
-	}
234
-
235
-	public function setAllowedFormActionDomains(array $allowedFormActionDomains): void {
236
-		$this->allowedFormActionDomains = $allowedFormActionDomains;
237
-	}
238
-
239
-
240
-	public function getReportTo(): array {
241
-		return $this->reportTo;
242
-	}
243
-
244
-	public function setReportTo(array $reportTo) {
245
-		$this->reportTo = $reportTo;
246
-	}
247
-
248
-	/**
249
-	 * @param boolean $strictDynamicAllowed
250
-	 */
251
-	public function setStrictDynamicAllowed(bool $strictDynamicAllowed) {
252
-		$this->strictDynamicAllowed = $strictDynamicAllowed;
253
-	}
37
+    /**
38
+     * @return boolean
39
+     */
40
+    public function isInlineScriptAllowed(): bool {
41
+        return $this->inlineScriptAllowed;
42
+    }
43
+
44
+    /**
45
+     * @param boolean $inlineScriptAllowed
46
+     */
47
+    public function setInlineScriptAllowed(bool $inlineScriptAllowed) {
48
+        $this->inlineScriptAllowed = $inlineScriptAllowed;
49
+    }
50
+
51
+    /**
52
+     * @return boolean
53
+     */
54
+    public function isEvalScriptAllowed(): bool {
55
+        return $this->evalScriptAllowed;
56
+    }
57
+
58
+    /**
59
+     * @param boolean $evalScriptAllowed
60
+     *
61
+     * @deprecated 17.0.0 Unsafe eval should not be used anymore.
62
+     */
63
+    public function setEvalScriptAllowed(bool $evalScriptAllowed) {
64
+        $this->evalScriptAllowed = $evalScriptAllowed;
65
+    }
66
+
67
+    /**
68
+     * @return array
69
+     */
70
+    public function getAllowedScriptDomains(): array {
71
+        return $this->allowedScriptDomains;
72
+    }
73
+
74
+    /**
75
+     * @param array $allowedScriptDomains
76
+     */
77
+    public function setAllowedScriptDomains(array $allowedScriptDomains) {
78
+        $this->allowedScriptDomains = $allowedScriptDomains;
79
+    }
80
+
81
+    /**
82
+     * @return boolean
83
+     */
84
+    public function isInlineStyleAllowed(): bool {
85
+        return $this->inlineStyleAllowed;
86
+    }
87
+
88
+    /**
89
+     * @param boolean $inlineStyleAllowed
90
+     */
91
+    public function setInlineStyleAllowed(bool $inlineStyleAllowed) {
92
+        $this->inlineStyleAllowed = $inlineStyleAllowed;
93
+    }
94
+
95
+    /**
96
+     * @return array
97
+     */
98
+    public function getAllowedStyleDomains(): array {
99
+        return $this->allowedStyleDomains;
100
+    }
101
+
102
+    /**
103
+     * @param array $allowedStyleDomains
104
+     */
105
+    public function setAllowedStyleDomains(array $allowedStyleDomains) {
106
+        $this->allowedStyleDomains = $allowedStyleDomains;
107
+    }
108
+
109
+    /**
110
+     * @return array
111
+     */
112
+    public function getAllowedImageDomains(): array {
113
+        return $this->allowedImageDomains;
114
+    }
115
+
116
+    /**
117
+     * @param array $allowedImageDomains
118
+     */
119
+    public function setAllowedImageDomains(array $allowedImageDomains) {
120
+        $this->allowedImageDomains = $allowedImageDomains;
121
+    }
122
+
123
+    /**
124
+     * @return array
125
+     */
126
+    public function getAllowedConnectDomains(): array {
127
+        return $this->allowedConnectDomains;
128
+    }
129
+
130
+    /**
131
+     * @param array $allowedConnectDomains
132
+     */
133
+    public function setAllowedConnectDomains(array $allowedConnectDomains) {
134
+        $this->allowedConnectDomains = $allowedConnectDomains;
135
+    }
136
+
137
+    /**
138
+     * @return array
139
+     */
140
+    public function getAllowedMediaDomains(): array {
141
+        return $this->allowedMediaDomains;
142
+    }
143
+
144
+    /**
145
+     * @param array $allowedMediaDomains
146
+     */
147
+    public function setAllowedMediaDomains(array $allowedMediaDomains) {
148
+        $this->allowedMediaDomains = $allowedMediaDomains;
149
+    }
150
+
151
+    /**
152
+     * @return array
153
+     */
154
+    public function getAllowedObjectDomains(): array {
155
+        return $this->allowedObjectDomains;
156
+    }
157
+
158
+    /**
159
+     * @param array $allowedObjectDomains
160
+     */
161
+    public function setAllowedObjectDomains(array $allowedObjectDomains) {
162
+        $this->allowedObjectDomains = $allowedObjectDomains;
163
+    }
164
+
165
+    /**
166
+     * @return array
167
+     */
168
+    public function getAllowedFrameDomains(): array {
169
+        return $this->allowedFrameDomains;
170
+    }
171
+
172
+    /**
173
+     * @param array $allowedFrameDomains
174
+     */
175
+    public function setAllowedFrameDomains(array $allowedFrameDomains) {
176
+        $this->allowedFrameDomains = $allowedFrameDomains;
177
+    }
178
+
179
+    /**
180
+     * @return array
181
+     */
182
+    public function getAllowedFontDomains(): array {
183
+        return $this->allowedFontDomains;
184
+    }
185
+
186
+    /**
187
+     * @param array $allowedFontDomains
188
+     */
189
+    public function setAllowedFontDomains($allowedFontDomains) {
190
+        $this->allowedFontDomains = $allowedFontDomains;
191
+    }
192
+
193
+    /**
194
+     * @return array
195
+     * @deprecated 15.0.0 use FrameDomains and WorkerSrcDomains
196
+     */
197
+    public function getAllowedChildSrcDomains(): array {
198
+        return $this->allowedChildSrcDomains;
199
+    }
200
+
201
+    /**
202
+     * @param array $allowedChildSrcDomains
203
+     * @deprecated 15.0.0 use FrameDomains and WorkerSrcDomains
204
+     */
205
+    public function setAllowedChildSrcDomains($allowedChildSrcDomains) {
206
+        $this->allowedChildSrcDomains = $allowedChildSrcDomains;
207
+    }
208
+
209
+    /**
210
+     * @return array
211
+     */
212
+    public function getAllowedFrameAncestors(): array {
213
+        return $this->allowedFrameAncestors;
214
+    }
215
+
216
+    /**
217
+     * @param array $allowedFrameAncestors
218
+     */
219
+    public function setAllowedFrameAncestors($allowedFrameAncestors) {
220
+        $this->allowedFrameAncestors = $allowedFrameAncestors;
221
+    }
222
+
223
+    public function getAllowedWorkerSrcDomains(): array {
224
+        return $this->allowedWorkerSrcDomains;
225
+    }
226
+
227
+    public function setAllowedWorkerSrcDomains(array $allowedWorkerSrcDomains) {
228
+        $this->allowedWorkerSrcDomains = $allowedWorkerSrcDomains;
229
+    }
230
+
231
+    public function getAllowedFormActionDomains(): array {
232
+        return $this->allowedFormActionDomains;
233
+    }
234
+
235
+    public function setAllowedFormActionDomains(array $allowedFormActionDomains): void {
236
+        $this->allowedFormActionDomains = $allowedFormActionDomains;
237
+    }
238
+
239
+
240
+    public function getReportTo(): array {
241
+        return $this->reportTo;
242
+    }
243
+
244
+    public function setReportTo(array $reportTo) {
245
+        $this->reportTo = $reportTo;
246
+    }
247
+
248
+    /**
249
+     * @param boolean $strictDynamicAllowed
250
+     */
251
+    public function setStrictDynamicAllowed(bool $strictDynamicAllowed) {
252
+        $this->strictDynamicAllowed = $strictDynamicAllowed;
253
+    }
254 254
 }
Please login to merge, or discard this patch.