diff options
| author | Lukas Reschke <lukas@owncloud.com> | 2015-02-09 16:30:01 +0100 |
|---|---|---|
| committer | Lukas Reschke <lukas@owncloud.com> | 2015-02-16 11:00:41 +0100 |
| commit | b20174bdad33f619054db08e320e5e546e2834b1 (patch) | |
| tree | d23a1cd064027d81ffe81c0c81a1ac943c756be9 /lib/private/response.php | |
| parent | 786ff6a5a323e2efe54aa6b736c3fbdf12813d79 (diff) | |
| download | nextcloud-server-b20174bdad33f619054db08e320e5e546e2834b1.tar.gz nextcloud-server-b20174bdad33f619054db08e320e5e546e2834b1.zip | |
Allow AppFramework applications to specify a custom CSP header
This change allows AppFramework applications to specify a custom CSP header for example when the default policy is too strict. Furthermore this allows us to partially migrate away from CSS and allowed eval() in our JavaScript components.
Legacy ownCloud components will still use the previous policy. Application developers can use this as following in their controllers:
```php
$response = new TemplateResponse('activity', 'list', []);
$cspHelper = new ContentSecurityPolicyHelper();
$cspHelper->addAllowedScriptDomain('www.owncloud.org');
$response->addHeader('Content-Security-Policy', $cspHelper->getPolicy());
return $response;
```
Fixes https://github.com/owncloud/core/issues/11857 which is a pre-requisite for https://github.com/owncloud/core/issues/13458 and https://github.com/owncloud/core/issues/11925
Diffstat (limited to 'lib/private/response.php')
| -rw-r--r-- | lib/private/response.php | 15 |
1 files changed, 9 insertions, 6 deletions
diff --git a/lib/private/response.php b/lib/private/response.php index cf18115111a..8e4a7d309b0 100644 --- a/lib/private/response.php +++ b/lib/private/response.php @@ -188,7 +188,7 @@ class OC_Response { } } - /* + /** * This function adds some security related headers to all requests served via base.php * The implementation of this function has to happen here to ensure that all third-party * components (e.g. SabreDAV) also benefit from this headers. @@ -203,17 +203,20 @@ class OC_Response { header('X-Frame-Options: Sameorigin'); // Disallow iFraming from other domains } - // Content Security Policy - // If you change the standard policy, please also change it in config.sample.php - $policy = OC_Config::getValue('custom_csp_policy', - 'default-src \'self\'; ' + /** + * FIXME: Content Security Policy for legacy ownCloud components. This + * can be removed once \OCP\AppFramework\Http\Response from the AppFramework + * is used everywhere. + * @see \OCP\AppFramework\Http\Response::getHeaders + */ + $policy = 'default-src \'self\'; ' . 'script-src \'self\' \'unsafe-eval\'; ' . 'style-src \'self\' \'unsafe-inline\'; ' . 'frame-src *; ' . 'img-src *; ' . 'font-src \'self\' data:; ' . 'media-src *; ' - . 'connect-src *'); + . 'connect-src *'; header('Content-Security-Policy:' . $policy); // https://developers.google.com/webmasters/control-crawl-index/docs/robots_meta_tag |