aboutsummaryrefslogtreecommitdiffstats
path: root/lib/public/AppFramework/Http
Commit message (Collapse)AuthorAgeFilesLines
...
* Rework array handling to avoid phan errorJulius Härtl2018-02-271-27/+12
| | | | Signed-off-by: Julius Härtl <jus@bitgrid.net>
* Add id to list elementJulius Härtl2018-02-271-2/+2
| | | | Signed-off-by: Julius Härtl <jus@bitgrid.net>
* Sort menu by priorityJulius Härtl2018-02-271-0/+3
| | | | Signed-off-by: Julius Härtl <jus@bitgrid.net>
* Add missing phpdoc for public APIJulius Härtl2018-02-272-1/+65
| | | | Signed-off-by: Julius Härtl <jus@bitgrid.net>
* Add phpdoc, typehints and sanitize HTMLJulius Härtl2018-02-271-5/+69
| | | | Signed-off-by: Julius Härtl <jus@bitgrid.net>
* Add menu item abstractionJulius Härtl2018-02-273-0/+265
| | | | Signed-off-by: Julius Härtl <jus@bitgrid.net>
* Pass template parameters to parent templateJulius Härtl2018-02-271-1/+1
| | | | Signed-off-by: Julius Härtl <jus@bitgrid.net>
* Make sure that render always returns a stringRoeland Jago Douma2018-02-211-2/+2
| | | | Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
* Change @georgehrke's emailMorris Jobke2017-11-061-1/+1
| | | | Signed-off-by: Morris Jobke <hey@morrisjobke.de>
* Update license headersMorris Jobke2017-11-068-0/+12
| | | | Signed-off-by: Morris Jobke <hey@morrisjobke.de>
* Doc: Fix phpDoc issuesJulius Härtl2017-10-231-1/+1
| | | | Signed-off-by: Julius Härtl <jus@bitgrid.net>
* OC_OCS_Response is deprecatedRoeland Jago Douma2017-09-211-1/+1
| | | | Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
* fix typo and set @since properlyThomas Citharel2017-09-152-6/+6
| | | | Signed-off-by: Thomas Citharel <tcit@tcit.fr>
* Add CSP frame-ancestors supportThomas Citharel2017-09-152-0/+34
| | | | | | Didn't set the @since annotation yet. Signed-off-by: Thomas Citharel <tcit@tcit.fr>
* Merge pull request #5907 from nextcloud/add-metadata-to-throttle-callMorris Jobke2017-08-011-1/+15
|\ | | | | Add metadata to \OCP\AppFramework\Http\Response::throttle
| * Add metadata to \OCP\AppFramework\Http\Response::throttleLukas Reschke2017-07-271-1/+15
| | | | | | | | | | | | Fixes https://github.com/nextcloud/server/issues/5891 Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
* | Replace wrong PHPDocsLukas Reschke2017-08-012-1/+2
|/ | | | Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
* Some phpstorm inspection fixesRoeland Jago Douma2017-07-222-2/+2
| | | | Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
* Remove unused use statementsMorris Jobke2017-04-223-4/+0
| | | | Signed-off-by: Morris Jobke <hey@morrisjobke.de>
* Make BruteForceProtection annotation more cleverLukas Reschke2017-04-131-0/+19
| | | | | | | | This makes the new `@BruteForceProtection` annotation more clever and moves the relevant code into it's own middleware. Basically you can now set `@BruteForceProtection(action=$key)` as annotation and that will make the controller bruteforce protected. However, the difference to before is that you need to call `$responmse->throttle()` to increase the counter. Before the counter was increased every time which leads to all kind of unexpected problems. Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
* Web app manifestPierre Rudloff2017-03-281-0/+1
| | | | Signed-off-by: Jan-Christoph Borchardt <hey@jancborchardt.net>
* Add base-uri to CSP policyLukas Reschke2017-03-161-0/+1
| | | | | | As per https://twitter.com/we1x/status/842032709543333890 a nice security hardening Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
* set 'no-store' cache header if we do not want FF to cacheChristoph Wurst2017-01-091-2/+2
| | | | Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
* prevent warning in StreamResponseRobin Appelman2016-11-291-1/+1
| | | | Signed-off-by: Robin Appelman <robin@icewind.nl>
* allow passing a stream to StreamResponseRobin Appelman2016-11-162-3/+3
| | | | Signed-off-by: Robin Appelman <robin@icewind.nl>
* @since 9.2.0 to @since 11.0.0Roeland Jago Douma2016-11-152-4/+4
| | | | Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
* Add support for CSP noncesLukas Reschke2016-10-242-2/+24
| | | | | | | | | | | | | | | | | CSP nonces are a feature available with CSP v2. Basically instead of saying "JS resources from the same domain are ok to be served" we now say "Ressources from everywhere are allowed as long as they add a `nonce` attribute to the script tag with the right nonce. At the moment the nonce is basically just a `<?php p(base64_encode($_['requesttoken'])) ?>`, we have to decode the requesttoken since `:` is not an allowed value in the nonce. So if somebody does on their own include JS files (instead of using the `addScript` public API, they now must also include that attribute.) IE does currently not implement CSP v2, thus there is a whitelist included that delivers the new CSP v2 policy to newer browsers. Check http://caniuse.com/#feat=contentsecuritypolicy2 for the current browser support list. An alternative approach would be to just add `'unsafe-inline'` as well as `'unsafe-inline'` is ignored by CSPv2 when a nonce is set. But this would make this security feature unusable at all in IE. Not worth it at the moment IMO. Implementing this offers the following advantages: 1. **Security:** As we host resources from the same domain by design we don't have to worry about 'self' anymore being in the whitelist 2. **Performance:** We can move oc.js again to inline JS. This makes the loading way quicker as we don't have to load on every load of a new web page a blocking dynamically non-cached JavaScript file. If you want to toy with CSP see also https://csp-evaluator.withgoogle.com/ Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
* Initial AppDataRoeland Jago Douma2016-10-051-4/+3
| | | | | | | | | | | | * Introduce simpleFS * Introduce IAppData * Introduce AppData Factory to get your AppData folder * Update FileDisplayResponse * AppData implements a ISimpleRoot but lazy. So only if an apps starts to access data will stuff get initialized Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
* Add trict CSP to OCS responsesRoeland Jago Douma2016-09-151-3/+3
| | | | | If a repsonse now explicitly has the Empty CSP set then the middleware won't touch it.
* Add FileDisplayResponseRoeland Jago Douma2016-09-051-0/+70
| | | | | A lazy implementation of the DisplayResponse that only hits the filesystem if the etag and mtime do not match.
* Merge pull request #1158 from nextcloud/cache_avatarsLukas Reschke2016-09-051-2/+1
|\ | | | | Cache avatars
| * Cache avatars properlyRoeland Jago Douma2016-08-301-2/+1
| | | | | | | | | | * Set proper caching headers for avatars (15 minutes) * For our own avatar use some extra logic to invalidate when we update
* | Deprecate OCSResponeRoeland Jago Douma2016-09-051-2/+3
|/ | | | | The OCSResponse should not be used by apps. They should extend the OCSController and use normal DataResponses instead.
* Fix othersJoas Schilling2016-07-2115-16/+31
|
* Update license headersLukas Reschke2016-05-268-8/+9
|
* Move \OCP\AppFramework to PSR-4Roeland Jago Douma2016-05-0615-0/+1729
generated by cgit v1.2.3 (git 2.39.1) at 2025-06-09 04:53:45 +0000