aboutsummaryrefslogtreecommitdiffstats
path: root/lib/public/AppFramework/Http
Commit message (Collapse)AuthorAgeFilesLines
* chore: apply new CSFixer rulesFerdinand Thiessen2025-07-016-0/+6
| | | | | | | Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de> # Conflicts: # apps/settings/lib/SetupChecks/PhpOpcacheSetup.php
* feat(files_sharing): show Account menu on public pagesskjnldsv2025-06-111-0/+1
| | | | Signed-off-by: skjnldsv <skjnldsv@protonmail.com>
* fix: use correct format for expires, last-modified, and if-modified-since ↵Daniel Kesselberg2025-06-101-2/+2
| | | | | | | | | | | headers Before: Sat, 10 May 2025 18:17:41 +0000 After: Sat, 10 May 2025 18:17:41 GMT RFC: https://httpwg.org/specs/rfc9110.html#http.date Signed-off-by: Daniel Kesselberg <mail@danielkesselberg.de>
* feat(RequestHeader): Add indirect parameterfeat/requestheader/indirect-parameterprovokateurin2025-06-031-0/+2
| | | | Signed-off-by: provokateurin <kate@provokateurin.de>
* refactor(RequestHeader): Make parameter types stricterprovokateurin2025-06-031-2/+2
| | | | Signed-off-by: provokateurin <kate@provokateurin.de>
* chore(RequestHeader): Remove unnecessary gettersprovokateurin2025-06-031-18/+0
| | | | Signed-off-by: provokateurin <kate@provokateurin.de>
* feat(Http): Add RequestHeader attributefeat/http/request-header-attributeprovokateurin2025-05-201-0/+50
| | | | Signed-off-by: provokateurin <kate@provokateurin.de>
* refactor: migrate from OC to OCP in public interfacesrefactor/ocp-deprecationsFerdinand Thiessen2025-05-152-6/+4
| | | | Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
* fix: Migrate all uses of OCP\Template to OCP\Template\ITemplateManagerCôme Chilliet2025-03-061-1/+7
| | | | Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>
* fix: Fix psalm issues and add missing methods to ITemplate interfaceCôme Chilliet2025-03-061-2/+3
| | | | Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>
* chore: Correctly flag json encoding methods as escaping html and quotesCôme Chilliet2025-02-171-0/+3
| | | | | | | Especially with JSON_HEX_TAG it’s perfectly fine to echo JSON, and we only use it in JSON output anyway. Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>
* Merge pull request #50070 from nextcloud/docs/http/cors-attributeJoas Schilling2025-01-091-1/+3
|\ | | | | docs(HTTP): Add proper docs for CORS attribute
| * docs(HTTP): Add proper docs for CORS attributedocs/http/cors-attributeprovokateurin2025-01-071-1/+3
| | | | | | | | Signed-off-by: provokateurin <kate@provokateurin.de>
* | fix(Http): Only allow valid HTTP status code values via templatefix/http/template-valid-status-codesprovokateurin2025-01-0717-33/+35
|/ | | | Signed-off-by: provokateurin <kate@provokateurin.de>
* fix(HTTP): Adjust JSONResponse data typefix/http/jsonresponse-data-typeprovokateurin2025-01-041-1/+1
| | | | Signed-off-by: provokateurin <kate@provokateurin.de>
* feat: Use inline password confirmation in external storage settingsLouis Chemineau2024-11-281-0/+17
| | | | Signed-off-by: Louis Chemineau <louis@chmn.me>
* chore: Add proper deprecation dates where missingFerdinand Thiessen2024-09-201-1/+1
| | | | Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
* chore(deps): Update nextcloud/coding-standard to v1.3.1provokateurin2024-09-195-5/+7
| | | | Signed-off-by: provokateurin <kate@provokateurin.de>
* fix: Fix missing footer on public pagesChristopher Ng2024-09-041-0/+12
| | | | Signed-off-by: Christopher Ng <chrng8@gmail.com>
* chore(ExternalShareMenuAction): Remove unused legacy propertiesFerdinand Thiessen2024-09-031-16/+5
| | | | | | | | | | | Keep them in the constructor to not break the API, but they are not used anymore. This way of adding a share was deprecated in Nextcloud 12 (2016!), in favor of the federated share API, in Nextcloud 28 this way to create a share was removed. So we can cleanup as all it takes now to create a federeated share is the share token + federated user ID. Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
* refactor(IMenuAction): Make public menu actions use the new Vue UIFerdinand Thiessen2024-09-035-61/+62
| | | | | | | | This removes custom rendering code an replaces it with the declarative menu actions. Also adjust the template to allow the Vue UI to mount. Custom entries still are possible. Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
* style: update codestyle for coding-standard 1.2.3Daniel Kesselberg2024-08-256-13/+13
| | | | Signed-off-by: Daniel Kesselberg <mail@danielkesselberg.de>
* test: Adjust tests for CSP nonceFerdinand Thiessen2024-08-131-1/+1
| | | | Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
* fix: Make sure CSP nonce is not double base64 encodedFerdinand Thiessen2024-08-131-2/+2
| | | | Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
* feat: Allow passing additional encode flags for json responseChristopher Ng2024-08-011-2/+15
| | | | Signed-off-by: Christopher Ng <chrng8@gmail.com>
* feat: Increase max depth of encoded jsonChristopher Ng2024-08-011-1/+1
| | | | Signed-off-by: Christopher Ng <chrng8@gmail.com>
* feat: allow for ExApps to call Admin endpoints marked with specific attrAlexander Piskun2024-07-181-0/+21
| | | | Signed-off-by: Alexander Piskun <bigcat88@icloud.com>
* fix: ARateLimit documentationskjnldsv2024-07-121-0/+2
| | | | Signed-off-by: skjnldsv <skjnldsv@protonmail.com>
* feat(OpenAPI): Add ex_app scopeprovokateurin2024-07-021-0/+8
| | | | Signed-off-by: provokateurin <kate@provokateurin.de>
* feat(AppFramework): Add ExAppRequired attributeprovokateurin2024-07-011-0/+21
| | | | Signed-off-by: provokateurin <kate@provokateurin.de>
* chore: Add SPDX headerAndy Scherzinger2024-05-2451-1043/+130
| | | | Signed-off-by: Andy Scherzinger <info@andy-scherzinger.de>
* fix(AppFramework): Fix error message about 204 not allowing custom headersprovokateurin2024-04-081-1/+1
| | | | Signed-off-by: provokateurin <kate@provokateurin.de>
* fix: Apply new coding standard to all filesCôme Chilliet2024-04-021-1/+1
| | | | Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>
* fix: Allow nonce in csp header also if no other reasons are givenJulius Härtl2024-03-081-3/+3
| | | | Signed-off-by: Julius Härtl <jus@bitgrid.net>
* feat(AppFramework): Add Route attributeprovokateurin2024-02-213-0/+287
| | | | Signed-off-by: provokateurin <kate@provokateurin.de>
* fix(API): Use a distinct exception so apps can react to it and customize the ↵Joas Schilling2023-11-281-0/+79
| | | | | | return Signed-off-by: Joas Schilling <coding@schilljs.com>
* chore: apply changes from Nextcloud coding standards 1.1.1Joas Schilling2023-11-231-1/+1
| | | | | Signed-off-by: Joas Schilling <coding@schilljs.com> Signed-off-by: Benjamin Gaussorgues <benjamin.gaussorgues@nextcloud.com>
* fix(CSP): Only add `strict-dynamic` when using noncesFerdinand Thiessen2023-11-171-6/+6
| | | | Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
* fix!(ContentSecurityPolicy): Make `strict-dynamic` enabled by default on ↵Ferdinand Thiessen2023-11-171-1/+1
| | | | | | `script-src-elem` Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
* feat(ContentSecurityPolicy): Allow to set `strict-dynamic` on ↵Ferdinand Thiessen2023-11-172-6/+30
| | | | | | | | | `script-src-elem` only This adds the possibility to set `strict-dynamic` on `script-src-elem` only while keep the default rules for `script-src`. The idea is to allow loading module js which imports other files and thus does not allow nonces on import but on the initial script tag. Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
* feat(openapi): Add OpenAPI attribute to allow multiple scopes and ↵Joas Schilling2023-11-032-0/+100
| | | | | | overwriting tags Signed-off-by: Joas Schilling <coding@schilljs.com>
* Stop sending deprecated Pragma headerGit'Fellow2023-08-281-4/+3
| | | | Signed-off-by: Git'Fellow <12234510+solracsf@users.noreply.github.com>
* add separate event for rendering login page templateRobin Appelman2023-08-171-0/+52
| | | | Signed-off-by: Robin Appelman <robin@icewind.nl>
* Allow "wasm-unsafe-eval" in CSPDaniel Calviño Sánchez2023-08-103-1/+21
| | | | | | | | | | | | | | | | | | If a page has a Content Security Policy header and the `script-src` (or `default-src`) directive does not contain neither `wasm-unsafe-eval` nor `unsafe-eval` loading and executing WebAssembly is blocked in the page (although it is still possible to load and execute WebAssembly in a worker thread). Although the Nextcloud classes to manage the CSP already supported allowing `unsafe-eval` this affects not only WebAssembly, but also the `eval` operation in JavaScript. To make possible to allow WebAssembly execution without allowing JavaScript `eval` this commit adds support for allowing `wasm-unsafe-eval`. Signed-off-by: Daniel Calviño Sánchez <danxuliu@gmail.com>
* fix!: Remove legacy event dispatching Symfony's GenericEvent from ↵Joas Schilling2023-07-271-9/+0
| | | | | | AdditionalScripts Signed-off-by: Joas Schilling <coding@schilljs.com>
* Add IgnoreOpenAPI attributejld31032023-07-101-0/+37
| | | | Signed-off-by: jld3103 <jld3103yt@gmail.com>
* chore: Replace \OC::$server->query with \OCP\Server::get in /libChristoph Wurst2023-07-061-1/+1
| | | | Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
* Add template types to responsesjld31032023-06-3017-94/+198
| | | | Signed-off-by: jld3103 <jld3103yt@gmail.com>
* chore(appframework)!: Drop ↵Christoph Wurst2023-06-121-18/+1
| | | | | | \OCP\AppFramework\Http\EmptyContentSecurityPolicy::allowInlineScript Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
* Drop meta robots tagGit'Fellow2023-06-091-1/+0
| | | | | | Revert mistake Signed-off-by: Git'Fellow <12234510+solracsf@users.noreply.github.com>