Add stricter CSPs

* Deprecate our default CSP
* Add strict CSP that is always our strictest setting
* Add strict eval CSP (disable unsafe-eval)
* Add strict inline CSP (disables inline styles)

This is just to move forward and have a incremental improvement of our
CSP

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>

1 files changed, 5 insertions, 2 deletions

diff --git a/lib/public/AppFramework/Http/ContentSecurityPolicy.php b/lib/public/AppFramework/Http/ContentSecurityPolicy.php
index 9438c6ead61..c705955bb8a 100644
--- a/lib/public/AppFramework/Http/ContentSecurityPolicy.php
+++ b/lib/public/AppFramework/Http/ContentSecurityPolicy.php
@@ -27,16 +27,19 @@ namespace OCP\AppFramework\Http;
 
 /**
  * Class ContentSecurityPolicy is a simple helper which allows applications to
- * modify the Content-Security-Policy sent by ownCloud. Per default only JavaScript,
+ * modify the Content-Security-Policy sent by Nextcloud. Per default only JavaScript,
  * stylesheets, images, fonts, media and connections from the same domain
  * ('self') are allowed.
  *
  * Even if a value gets modified above defaults will still get appended. Please
- * notice that ownCloud ships already with sensible defaults and those policies
+ * notice that Nextcloud ships already with sensible defaults and those policies
  * should require no modification at all for most use-cases.
  *
+ * This class allows unsafe-eval of javascript and unsafe-inline of CSS.
+ *
  * @package OCP\AppFramework\Http
  * @since 8.1.0
+ * @deprecated 14.0.0 Use one of our stricter CSP policies
  */
 class ContentSecurityPolicy extends EmptyContentSecurityPolicy {
 	/** @var bool Whether inline JS snippets are allowed */