summaryrefslogtreecommitdiffstats
path: root/lib/private/response.php
Commit message (Collapse)AuthorAgeFilesLines
* lib: Fix typos (found by codespell)Stefan Weil2016-04-071-3/+3
| | | | Signed-off-by: Stefan Weil <sw@weilnetz.de>
* Merge pull request #21630 from owncloud/add-some-security-headers-as-hardeningThomas Müller2016-01-131-0/+2
|\ | | | | Add X-Download-Options and X-Permitted-Cross-Domain-Policies
| * Add X-Download-Options and X-Permitted-Cross-Domain-PoliciesLukas Reschke2016-01-121-0/+2
| | | | | | | | Two small security hardenings for our IE users and those with Adobe products. Aligns it more with https://github.com/twitter/secureheaders#secureheaders---
* | Happy new year!Thomas Müller2016-01-121-2/+2
|/
* Use getHttpProtocol instead of $_SERVERLukas Reschke2015-10-301-1/+1
|
* Add blob: scheme to default CSP policyLukas Reschke2015-09-291-1/+1
| | | | Fixes https://github.com/owncloud/core/issues/19438
* Fix CSP for images for legacy appsOlivier Paroz2015-09-281-1/+1
| | | | Fixes #19425
* update license headers and authorsMorris Jobke2015-06-251-0/+1
|
* Add version to deprecation noticeLukas Reschke2015-04-201-1/+1
| | | | As requested by @MorrisJobke
* Deprecate unused `\OCP\Response::sendFile`Lukas Reschke2015-04-201-3/+4
| | | | This function is unused in our own code and can be better achieved using the AppFramework. Also very easy to do grave mistaked using this function.
* Merge pull request #15229 from owncloud/response-setContentLengthHeaderThomas Müller2015-04-031-1/+22
|\ | | | | Add OC_Response::setContentLengthHeader() for Apache PHP SAPI workaround...
| * Add OC_Response::setContentLengthHeader() for Apache PHP SAPI workaround.Andreas Fischer2015-03-261-1/+22
| | | | | | | | | | | | | | | | | | | | | | Do not send Content-Length headers with a value larger than PHP_INT_MAX (2147483647) on Apache PHP SAPI 32-bit. PHP will eat them and send 2147483647 instead. When X-Sendfile is enabled, Apache will send a correct Content-Length header, even for files larger than 2147483647 bytes. When X-Sendfile is not enabled, ownCloud will not send a Content-Length header. This prevents progress bars from working, but allows the actual transfer to work properly.
* | Add some generic default headers as well via PHPLukas Reschke2015-03-261-0/+9
| |
* | Update license headersJenkins for ownCloud2015-03-261-4/+23
|/
* Let users configure security headers in their WebserverLukas Reschke2015-03-021-12/+0
| | | | | | | | | | Doing this in the PHP code is not the right approach for multiple reasons: 1. A bug in the PHP code prevents them from being added to the response. 2. They are only added when something is served via PHP and not in other cases (that makes for example the newest IE UXSS which is not yet patched by Microsoft exploitable on ownCloud) 3. Some headers such as the Strict-Transport-Security might require custom modifications by administrators. This was not possible before and lead to buggy situations. This pull request moves those headers out of the PHP code and adds a security check to the admin settings performed via JS.
* Revert "Updating license headers"Morris Jobke2015-02-261-23/+5
| | | | This reverts commit 6a1a4880f0d556fb090f19a5019fec31916f5c36.
* Updating license headersJenkins for ownCloud2015-02-231-5/+23
|
* Merge pull request #13989 from owncloud/enhancment/security/11857Clark Tomlinson2015-02-181-6/+9
|\ | | | | Allow AppFramework applications to specify a custom CSP header
| * Allow AppFramework applications to specify a custom CSP headerLukas Reschke2015-02-161-6/+9
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This change allows AppFramework applications to specify a custom CSP header for example when the default policy is too strict. Furthermore this allows us to partially migrate away from CSS and allowed eval() in our JavaScript components. Legacy ownCloud components will still use the previous policy. Application developers can use this as following in their controllers: ```php $response = new TemplateResponse('activity', 'list', []); $cspHelper = new ContentSecurityPolicyHelper(); $cspHelper->addAllowedScriptDomain('www.owncloud.org'); $response->addHeader('Content-Security-Policy', $cspHelper->getPolicy()); return $response; ``` Fixes https://github.com/owncloud/core/issues/11857 which is a pre-requisite for https://github.com/owncloud/core/issues/13458 and https://github.com/owncloud/core/issues/11925
* | Refactor OC_Request into TrustedDomainHelper and IRequestLukas Reschke2015-02-161-5/+6
|/ | | | | | | | | | This changeset removes the static class `OC_Request` and moves the functions either into `IRequest` which is accessible via `\OC::$server::->getRequest()` or into a separated `TrustedDomainHelper` class for some helper methods which should not be publicly exposed. This changes only internal methods and nothing on the public API. Some public functions in `util.php` have been deprecated though in favour of the new non-static functions. Unfortunately some part of this code uses things like `__DIR__` and thus is not completely unit-testable. Where tests where possible they ahve been added though. Fixes https://github.com/owncloud/core/issues/13976 which was requested in https://github.com/owncloud/core/pull/13973#issuecomment-73492969
* Allow any outgoing XHR connectionsLukas Reschke2014-10-301-1/+2
| | | | Quickfix for https://github.com/owncloud/core/issues/11064
* Merge branch 'master' into cleanup-list-codeThomas Müller2014-05-191-9/+41
|\ | | | | | | | | Conflicts: apps/files_sharing/ajax/list.php
| * Remove all occurences of @brief and @returns from PHPDocMorris Jobke2014-05-191-6/+6
| | | | | | | | * test case added to avoid adding them later
| * Fix all PHPDoc types and variable names, in /libRobin McCorkell2014-05-131-3/+3
| |
| * adding X-Robots-Tag to all responses of ownCloud + move addSecurityHeaders() ↵Thomas Müller2014-05-121-0/+32
| | | | | | | | to OC_Response, which seems to be a more reasonable place
* | Cleanup code a little bitLukas Reschke2014-05-041-0/+1
|/ | | | | | | - Use OCP\Response constants instead of the HTTP error code - Use checkAppEnabled() instead of OC_App::isEnabled with an if statement - Remove uneeded variable $baseURL - Rename $isvalid to $isValid
* Some more PHPDoc fixesLukas Reschke2014-04-211-1/+1
|
* Return 503 when a config/data dir error existsVincent Petry2014-03-141-0/+4
|
* Merge branch 'master' into scrutinizer_documentation_patchesThomas Müller2014-02-141-1/+5
|\ | | | | | | | | Conflicts: lib/private/appconfig.php
| * New user agent added for the Freebox.Martial Saunois2014-01-261-1/+5
| | | | | | | | The Freebox is the multimedia device of a french Internet provider: Free. This device provides a seedbox which uses the user agent "Mozilla/5.0". In the "Content-Disposition" header, if the "filename" key is used with the "filename*=UTF-8''" value, the seedbox does not take care about the header and saves the file name with the origin URL. This patch brings the support for the Freebox users.
* | polish documentation based on scrutinizer patchesJörn Friedrich Dreyer2014-02-061-3/+3
|/
* Added isUserAgent() method to requestVincent Petry2013-12-191-2/+1
| | | | | | - added isUserAgent() method to OC_Request which makes it possible to test it - OC_Response::setContentDisposition now uses OC_Request::isUserAgent()
* Added workaround for Android content dispositionVincent Petry2013-12-101-1/+2
| | | | Fixes #5807
* Moved content disposition code+workarounds to OCP\ResponseVincent Petry2013-12-101-0/+14
| | | | | | | | | Added new OC\Response API called setContentDispositionHeader() that contains the needed workarounds for UTF8 and IE. Refactored download code to use the new API. Removed unused trashbin download file.
* move the private namespace OC into lib/private - OCP will stay in lib/publicThomas Müller2013-09-301-0/+167
Conflicts: lib/private/vcategories.php