nextcloud /
server
@@ -42,53 +42,53 @@ |
||
| 42 | 42 | * @deprecated 14.0.0 Use one of our stricter CSP policies |
| 43 | 43 | */ |
| 44 | 44 | class ContentSecurityPolicy extends EmptyContentSecurityPolicy { |
| 45 | - /** @var bool Whether inline JS snippets are allowed */ |
|
| 46 | - protected $inlineScriptAllowed = false; |
|
| 47 | - /** |
|
| 48 | - * @var bool Whether eval in JS scripts is allowed |
|
| 49 | - * TODO: Disallow per default |
|
| 50 | - * @link https://github.com/owncloud/core/issues/11925 |
|
| 51 | - */ |
|
| 52 | - protected $evalScriptAllowed = true; |
|
| 53 | - /** @var array Domains from which scripts can get loaded */ |
|
| 54 | - protected $allowedScriptDomains = [ |
|
| 55 | - '\'self\'', |
|
| 56 | - ]; |
|
| 57 | - /** |
|
| 58 | - * @var bool Whether inline CSS is allowed |
|
| 59 | - * TODO: Disallow per default |
|
| 60 | - * @link https://github.com/owncloud/core/issues/13458 |
|
| 61 | - */ |
|
| 62 | - protected $inlineStyleAllowed = true; |
|
| 63 | - /** @var array Domains from which CSS can get loaded */ |
|
| 64 | - protected $allowedStyleDomains = [ |
|
| 65 | - '\'self\'', |
|
| 66 | - ]; |
|
| 67 | - /** @var array Domains from which images can get loaded */ |
|
| 68 | - protected $allowedImageDomains = [ |
|
| 69 | - '\'self\'', |
|
| 70 | - 'data:', |
|
| 71 | - 'blob:', |
|
| 72 | - ]; |
|
| 73 | - /** @var array Domains to which connections can be done */ |
|
| 74 | - protected $allowedConnectDomains = [ |
|
| 75 | - '\'self\'', |
|
| 76 | - ]; |
|
| 77 | - /** @var array Domains from which media elements can be loaded */ |
|
| 78 | - protected $allowedMediaDomains = [ |
|
| 79 | - '\'self\'', |
|
| 80 | - ]; |
|
| 81 | - /** @var array Domains from which object elements can be loaded */ |
|
| 82 | - protected $allowedObjectDomains = []; |
|
| 83 | - /** @var array Domains from which iframes can be loaded */ |
|
| 84 | - protected $allowedFrameDomains = []; |
|
| 85 | - /** @var array Domains from which fonts can be loaded */ |
|
| 86 | - protected $allowedFontDomains = [ |
|
| 87 | - '\'self\'', |
|
| 88 | - ]; |
|
| 89 | - /** @var array Domains from which web-workers and nested browsing content can load elements */ |
|
| 90 | - protected $allowedChildSrcDomains = []; |
|
| 45 | + /** @var bool Whether inline JS snippets are allowed */ |
|
| 46 | + protected $inlineScriptAllowed = false; |
|
| 47 | + /** |
|
| 48 | + * @var bool Whether eval in JS scripts is allowed |
|
| 49 | + * TODO: Disallow per default |
|
| 50 | + * @link https://github.com/owncloud/core/issues/11925 |
|
| 51 | + */ |
|
| 52 | + protected $evalScriptAllowed = true; |
|
| 53 | + /** @var array Domains from which scripts can get loaded */ |
|
| 54 | + protected $allowedScriptDomains = [ |
|
| 55 | + '\'self\'', |
|
| 56 | + ]; |
|
| 57 | + /** |
|
| 58 | + * @var bool Whether inline CSS is allowed |
|
| 59 | + * TODO: Disallow per default |
|
| 60 | + * @link https://github.com/owncloud/core/issues/13458 |
|
| 61 | + */ |
|
| 62 | + protected $inlineStyleAllowed = true; |
|
| 63 | + /** @var array Domains from which CSS can get loaded */ |
|
| 64 | + protected $allowedStyleDomains = [ |
|
| 65 | + '\'self\'', |
|
| 66 | + ]; |
|
| 67 | + /** @var array Domains from which images can get loaded */ |
|
| 68 | + protected $allowedImageDomains = [ |
|
| 69 | + '\'self\'', |
|
| 70 | + 'data:', |
|
| 71 | + 'blob:', |
|
| 72 | + ]; |
|
| 73 | + /** @var array Domains to which connections can be done */ |
|
| 74 | + protected $allowedConnectDomains = [ |
|
| 75 | + '\'self\'', |
|
| 76 | + ]; |
|
| 77 | + /** @var array Domains from which media elements can be loaded */ |
|
| 78 | + protected $allowedMediaDomains = [ |
|
| 79 | + '\'self\'', |
|
| 80 | + ]; |
|
| 81 | + /** @var array Domains from which object elements can be loaded */ |
|
| 82 | + protected $allowedObjectDomains = []; |
|
| 83 | + /** @var array Domains from which iframes can be loaded */ |
|
| 84 | + protected $allowedFrameDomains = []; |
|
| 85 | + /** @var array Domains from which fonts can be loaded */ |
|
| 86 | + protected $allowedFontDomains = [ |
|
| 87 | + '\'self\'', |
|
| 88 | + ]; |
|
| 89 | + /** @var array Domains from which web-workers and nested browsing content can load elements */ |
|
| 90 | + protected $allowedChildSrcDomains = []; |
|
| 91 | 91 | |
| 92 | - /** @var array Domains which can embed this Nextcloud instance */ |
|
| 93 | - protected $allowedFrameAncestors = []; |
|
| 92 | + /** @var array Domains which can embed this Nextcloud instance */ |
|
| 93 | + protected $allowedFrameAncestors = []; |
|
| 94 | 94 | } |
@@ -41,45 +41,45 @@ |
||
| 41 | 41 | * @since 14.0.0 |
| 42 | 42 | */ |
| 43 | 43 | class StrictContentSecurityPolicy extends EmptyContentSecurityPolicy { |
| 44 | - /** @var bool Whether inline JS snippets are allowed */ |
|
| 45 | - protected $inlineScriptAllowed = false; |
|
| 46 | - /** @var bool Whether eval in JS scripts is allowed */ |
|
| 47 | - protected $evalScriptAllowed = false; |
|
| 48 | - /** @var array Domains from which scripts can get loaded */ |
|
| 49 | - protected $allowedScriptDomains = [ |
|
| 50 | - '\'self\'', |
|
| 51 | - ]; |
|
| 52 | - /** @var bool Whether inline CSS is allowed */ |
|
| 53 | - protected $inlineStyleAllowed = false; |
|
| 54 | - /** @var array Domains from which CSS can get loaded */ |
|
| 55 | - protected $allowedStyleDomains = [ |
|
| 56 | - '\'self\'', |
|
| 57 | - ]; |
|
| 58 | - /** @var array Domains from which images can get loaded */ |
|
| 59 | - protected $allowedImageDomains = [ |
|
| 60 | - '\'self\'', |
|
| 61 | - 'data:', |
|
| 62 | - 'blob:', |
|
| 63 | - ]; |
|
| 64 | - /** @var array Domains to which connections can be done */ |
|
| 65 | - protected $allowedConnectDomains = [ |
|
| 66 | - '\'self\'', |
|
| 67 | - ]; |
|
| 68 | - /** @var array Domains from which media elements can be loaded */ |
|
| 69 | - protected $allowedMediaDomains = [ |
|
| 70 | - '\'self\'', |
|
| 71 | - ]; |
|
| 72 | - /** @var array Domains from which object elements can be loaded */ |
|
| 73 | - protected $allowedObjectDomains = []; |
|
| 74 | - /** @var array Domains from which iframes can be loaded */ |
|
| 75 | - protected $allowedFrameDomains = []; |
|
| 76 | - /** @var array Domains from which fonts can be loaded */ |
|
| 77 | - protected $allowedFontDomains = [ |
|
| 78 | - '\'self\'', |
|
| 79 | - ]; |
|
| 80 | - /** @var array Domains from which web-workers and nested browsing content can load elements */ |
|
| 81 | - protected $allowedChildSrcDomains = []; |
|
| 44 | + /** @var bool Whether inline JS snippets are allowed */ |
|
| 45 | + protected $inlineScriptAllowed = false; |
|
| 46 | + /** @var bool Whether eval in JS scripts is allowed */ |
|
| 47 | + protected $evalScriptAllowed = false; |
|
| 48 | + /** @var array Domains from which scripts can get loaded */ |
|
| 49 | + protected $allowedScriptDomains = [ |
|
| 50 | + '\'self\'', |
|
| 51 | + ]; |
|
| 52 | + /** @var bool Whether inline CSS is allowed */ |
|
| 53 | + protected $inlineStyleAllowed = false; |
|
| 54 | + /** @var array Domains from which CSS can get loaded */ |
|
| 55 | + protected $allowedStyleDomains = [ |
|
| 56 | + '\'self\'', |
|
| 57 | + ]; |
|
| 58 | + /** @var array Domains from which images can get loaded */ |
|
| 59 | + protected $allowedImageDomains = [ |
|
| 60 | + '\'self\'', |
|
| 61 | + 'data:', |
|
| 62 | + 'blob:', |
|
| 63 | + ]; |
|
| 64 | + /** @var array Domains to which connections can be done */ |
|
| 65 | + protected $allowedConnectDomains = [ |
|
| 66 | + '\'self\'', |
|
| 67 | + ]; |
|
| 68 | + /** @var array Domains from which media elements can be loaded */ |
|
| 69 | + protected $allowedMediaDomains = [ |
|
| 70 | + '\'self\'', |
|
| 71 | + ]; |
|
| 72 | + /** @var array Domains from which object elements can be loaded */ |
|
| 73 | + protected $allowedObjectDomains = []; |
|
| 74 | + /** @var array Domains from which iframes can be loaded */ |
|
| 75 | + protected $allowedFrameDomains = []; |
|
| 76 | + /** @var array Domains from which fonts can be loaded */ |
|
| 77 | + protected $allowedFontDomains = [ |
|
| 78 | + '\'self\'', |
|
| 79 | + ]; |
|
| 80 | + /** @var array Domains from which web-workers and nested browsing content can load elements */ |
|
| 81 | + protected $allowedChildSrcDomains = []; |
|
| 82 | 82 | |
| 83 | - /** @var array Domains which can embed this Nextcloud instance */ |
|
| 84 | - protected $allowedFrameAncestors = []; |
|
| 83 | + /** @var array Domains which can embed this Nextcloud instance */ |
|
| 84 | + protected $allowedFrameAncestors = []; |
|
| 85 | 85 | } |
@@ -42,10 +42,10 @@ |
||
| 42 | 42 | */ |
| 43 | 43 | class StrictEvalContentSecurityPolicy extends ContentSecurityPolicy { |
| 44 | 44 | |
| 45 | - /** |
|
| 46 | - * @since 14.0.0 |
|
| 47 | - */ |
|
| 48 | - public function __construct() { |
|
| 49 | - $this->inlineStyleAllowed = false; |
|
| 50 | - } |
|
| 45 | + /** |
|
| 46 | + * @since 14.0.0 |
|
| 47 | + */ |
|
| 48 | + public function __construct() { |
|
| 49 | + $this->inlineStyleAllowed = false; |
|
| 50 | + } |
|
| 51 | 51 | } |
@@ -42,10 +42,10 @@ |
||
| 42 | 42 | */ |
| 43 | 43 | class StrictInlineContentSecurityPolicy extends ContentSecurityPolicy { |
| 44 | 44 | |
| 45 | - /** |
|
| 46 | - * @since 14.0.0 |
|
| 47 | - */ |
|
| 48 | - public function __construct() { |
|
| 49 | - $this->inlineStyleAllowed = false; |
|
| 50 | - } |
|
| 45 | + /** |
|
| 46 | + * @since 14.0.0 |
|
| 47 | + */ |
|
| 48 | + public function __construct() { |
|
| 49 | + $this->inlineStyleAllowed = false; |
|
| 50 | + } |
|
| 51 | 51 | } |
