diff options
| author | Ferdinand Thiessen <opensource@fthiessen.de> | 2023-11-17 10:56:02 +0100 |
|---|---|---|
| committer | Ferdinand Thiessen <opensource@fthiessen.de> | 2023-11-17 11:12:57 +0100 |
| commit | 7df9eb335199b3eb3016f92e8cba47e12366f306 (patch) | |
| tree | 93d30d426a5fa2e10abf89e359fccccd1c87370e /lib/public/AppFramework/Http/ContentSecurityPolicy.php | |
| parent | 165178a6ad8338145a8bf4432bc19e80b74c0696 (diff) | |
| download | nextcloud-server-7df9eb335199b3eb3016f92e8cba47e12366f306.tar.gz nextcloud-server-7df9eb335199b3eb3016f92e8cba47e12366f306.zip | |
feat(ContentSecurityPolicy): Allow to set `strict-dynamic` on `script-src-elem` only
This adds the possibility to set `strict-dynamic` on `script-src-elem` only while keep the default rules for `script-src`.
The idea is to allow loading module js which imports other files and thus does not allow nonces on import but on the initial script tag.
Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
Diffstat (limited to 'lib/public/AppFramework/Http/ContentSecurityPolicy.php')
| -rw-r--r-- | lib/public/AppFramework/Http/ContentSecurityPolicy.php | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/lib/public/AppFramework/Http/ContentSecurityPolicy.php b/lib/public/AppFramework/Http/ContentSecurityPolicy.php index f17dd9bd270..386d908ffb6 100644 --- a/lib/public/AppFramework/Http/ContentSecurityPolicy.php +++ b/lib/public/AppFramework/Http/ContentSecurityPolicy.php @@ -48,6 +48,8 @@ class ContentSecurityPolicy extends EmptyContentSecurityPolicy { protected ?bool $evalWasmAllowed = false; /** @var bool Whether strict-dynamic should be set */ protected $strictDynamicAllowed = false; + /** @var bool Whether strict-dynamic should be set for 'script-src-elem' */ + protected $strictDynamicAllowedOnScripts = false; /** @var array Domains from which scripts can get loaded */ protected $allowedScriptDomains = [ '\'self\'', |