summaryrefslogtreecommitdiffstats
path: root/lib/private/response.php
diff options
context:
space:
mode:
Diffstat (limited to 'lib/private/response.php')
-rw-r--r--lib/private/response.php50
1 files changed, 41 insertions, 9 deletions
diff --git a/lib/private/response.php b/lib/private/response.php
index 19df9719dee..caa382af776 100644
--- a/lib/private/response.php
+++ b/lib/private/response.php
@@ -16,7 +16,7 @@ class OC_Response {
const STATUS_SERVICE_UNAVAILABLE = 503;
/**
- * @brief Enable response caching by sending correct HTTP headers
+ * Enable response caching by sending correct HTTP headers
* @param integer $cache_time time to cache the response
* >0 cache time in seconds
* 0 and <0 enable default browser caching
@@ -42,7 +42,7 @@ class OC_Response {
}
/**
- * @brief disable browser caching
+ * disable browser caching
* @see enableCaching with cache_time = 0
*/
static public function disableCaching() {
@@ -50,7 +50,7 @@ class OC_Response {
}
/**
- * @brief Set response status
+ * Set response status
* @param int $status a HTTP status code, see also the STATUS constants
*/
static public function setStatus($status) {
@@ -84,7 +84,7 @@ class OC_Response {
}
/**
- * @brief Send redirect response
+ * Send redirect response
* @param string $location to redirect to
*/
static public function redirect($location) {
@@ -93,8 +93,8 @@ class OC_Response {
}
/**
- * @brief Set reponse expire time
- * @param $expires date-time when the response expires
+ * Set reponse expire time
+ * @param string|DateTime $expires date-time when the response expires
* string for DateInterval from now
* DateTime object when to expire response
*/
@@ -114,7 +114,7 @@ class OC_Response {
/**
* Checks and set ETag header, when the request matches sends a
* 'not modified' response
- * @param $etag token to use for modification check
+ * @param string $etag token to use for modification check
*/
static public function setETagHeader($etag) {
if (empty($etag)) {
@@ -132,7 +132,7 @@ class OC_Response {
/**
* Checks and set Last-Modified header, when the request matches sends a
* 'not modified' response
- * @param $lastModified time when the reponse was last modified
+ * @param int|DateTime|string $lastModified time when the reponse was last modified
*/
static public function setLastModifiedHeader($lastModified) {
if (empty($lastModified)) {
@@ -171,7 +171,7 @@ class OC_Response {
}
/**
- * @brief Send file as response, checking and setting caching headers
+ * Send file as response, checking and setting caching headers
* @param string $filepath of file to send
*/
static public function sendFile($filepath) {
@@ -187,4 +187,36 @@ class OC_Response {
self::setStatus(self::STATUS_NOT_FOUND);
}
}
+
+ /*
+ * This function adds some security related headers to all requests served via base.php
+ * The implementation of this function has to happen here to ensure that all third-party
+ * components (e.g. SabreDAV) also benefit from this headers.
+ */
+ public static function addSecurityHeaders() {
+ header('X-XSS-Protection: 1; mode=block'); // Enforce browser based XSS filters
+ header('X-Content-Type-Options: nosniff'); // Disable sniffing the content type for IE
+
+ // iFrame Restriction Policy
+ $xFramePolicy = OC_Config::getValue('xframe_restriction', true);
+ if ($xFramePolicy) {
+ header('X-Frame-Options: Sameorigin'); // Disallow iFraming from other domains
+ }
+
+ // Content Security Policy
+ // If you change the standard policy, please also change it in config.sample.php
+ $policy = OC_Config::getValue('custom_csp_policy',
+ 'default-src \'self\'; '
+ . 'script-src \'self\' \'unsafe-eval\'; '
+ . 'style-src \'self\' \'unsafe-inline\'; '
+ . 'frame-src *; '
+ . 'img-src *; '
+ . 'font-src \'self\' data:; '
+ . 'media-src *');
+ header('Content-Security-Policy:' . $policy);
+
+ // https://developers.google.com/webmasters/control-crawl-index/docs/robots_meta_tag
+ header('X-Robots-Tag: none');
+ }
+
}