diff options
| author | Ferdinand Thiessen <opensource@fthiessen.de> | 2023-11-17 10:56:02 +0100 |
|---|---|---|
| committer | Ferdinand Thiessen <opensource@fthiessen.de> | 2023-11-17 11:12:57 +0100 |
| commit | 7df9eb335199b3eb3016f92e8cba47e12366f306 (patch) | |
| tree | 93d30d426a5fa2e10abf89e359fccccd1c87370e /lib/private/Security | |
| parent | 165178a6ad8338145a8bf4432bc19e80b74c0696 (diff) | |
| download | nextcloud-server-7df9eb335199b3eb3016f92e8cba47e12366f306.tar.gz nextcloud-server-7df9eb335199b3eb3016f92e8cba47e12366f306.zip | |
feat(ContentSecurityPolicy): Allow to set `strict-dynamic` on `script-src-elem` only
This adds the possibility to set `strict-dynamic` on `script-src-elem` only while keep the default rules for `script-src`.
The idea is to allow loading module js which imports other files and thus does not allow nonces on import but on the initial script tag.
Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
Diffstat (limited to 'lib/private/Security')
| -rw-r--r-- | lib/private/Security/CSP/ContentSecurityPolicy.php | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/lib/private/Security/CSP/ContentSecurityPolicy.php b/lib/private/Security/CSP/ContentSecurityPolicy.php index eca3e2b6b29..ee525af4c2a 100644 --- a/lib/private/Security/CSP/ContentSecurityPolicy.php +++ b/lib/private/Security/CSP/ContentSecurityPolicy.php @@ -191,4 +191,12 @@ class ContentSecurityPolicy extends \OCP\AppFramework\Http\ContentSecurityPolicy public function setStrictDynamicAllowed(bool $strictDynamicAllowed): void { $this->strictDynamicAllowed = $strictDynamicAllowed; } + + public function isStrictDynamicAllowedOnScripts(): bool { + return $this->strictDynamicAllowedOnScripts; + } + + public function setStrictDynamicAllowedOnScripts(bool $strictDynamicAllowedOnScripts): void { + $this->strictDynamicAllowedOnScripts = $strictDynamicAllowedOnScripts; + } } |