source.dussan.org Git - nextcloud-server.git/commit

author	Lukas Reschke <lukas@owncloud.com>
	Mon, 9 Feb 2015 15:30:01 +0000 (16:30 +0100)
committer	Lukas Reschke <lukas@owncloud.com>
	Mon, 16 Feb 2015 10:00:41 +0000 (11:00 +0100)
commit	b20174bdad33f619054db08e320e5e546e2834b1
tree	d23a1cd064027d81ffe81c0c81a1ac943c756be9	tree \| snapshot
parent	786ff6a5a323e2efe54aa6b736c3fbdf12813d79	commit \| diff

Allow AppFramework applications to specify a custom CSP header

This change allows AppFramework applications to specify a custom CSP header for example when the default policy is too strict. Furthermore this allows us to partially migrate away from CSS and allowed eval() in our JavaScript components.

Legacy ownCloud components will still use the previous policy. Application developers can use this as following in their controllers:
```php
$response = new TemplateResponse('activity', 'list', []);
$cspHelper = new ContentSecurityPolicyHelper();
$cspHelper->addAllowedScriptDomain('www.owncloud.org');
$response->addHeader('Content-Security-Policy', $cspHelper->getPolicy());
return $response;
```

Fixes https://github.com/owncloud/core/issues/11857 which is a pre-requisite for https://github.com/owncloud/core/issues/13458 and https://github.com/owncloud/core/issues/11925

config/config.sample.php		diff \| blob \| history
lib/private/response.php		diff \| blob \| history
lib/public/appframework/http/contentsecuritypolicy.php	[new file with mode: 0644]	blob
lib/public/appframework/http/response.php		diff \| blob \| history
tests/lib/appframework/controller/ControllerTest.php		diff \| blob \| history
tests/lib/appframework/http/ContentSecurityPolicyTest.php	[new file with mode: 0644]	blob
tests/lib/appframework/http/DataResponseTest.php		diff \| blob \| history
tests/lib/appframework/http/ResponseTest.php		diff \| blob \| history