aboutsummaryrefslogtreecommitdiffstats
path: root/tests/lib/AppFramework/Http/ContentSecurityPolicyTest.php
Commit message (Collapse)AuthorAgeFilesLines
* test: Adjust tests for CSP nonceFerdinand Thiessen2024-08-131-120/+120
| | | | Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
* chore: Add SPDX headerAndy Scherzinger2024-05-131-4/+3
| | | | Signed-off-by: Andy Scherzinger <info@andy-scherzinger.de>
* fix(CSP): Only add `strict-dynamic` when using noncesFerdinand Thiessen2023-11-171-58/+58
| | | | Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
* fix!(ContentSecurityPolicy): Make `strict-dynamic` enabled by default on ↵Ferdinand Thiessen2023-11-171-76/+73
| | | | | | `script-src-elem` Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
* feat(ContentSecurityPolicy): Allow to set `strict-dynamic` on ↵Ferdinand Thiessen2023-11-171-0/+37
| | | | | | | | | `script-src-elem` only This adds the possibility to set `strict-dynamic` on `script-src-elem` only while keep the default rules for `script-src`. The idea is to allow loading module js which imports other files and thus does not allow nonces on import but on the initial script tag. Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
* Allow "wasm-unsafe-eval" in CSPDaniel Calviño Sánchez2023-08-101-0/+7
| | | | | | | | | | | | | | | | | | If a page has a Content Security Policy header and the `script-src` (or `default-src`) directive does not contain neither `wasm-unsafe-eval` nor `unsafe-eval` loading and executing WebAssembly is blocked in the page (although it is still possible to load and execute WebAssembly in a worker thread). Although the Nextcloud classes to manage the CSP already supported allowing `unsafe-eval` this affects not only WebAssembly, but also the `eval` operation in JavaScript. To make possible to allow WebAssembly execution without allowing JavaScript `eval` this commit adds support for allowing `wasm-unsafe-eval`. Signed-off-by: Daniel Calviño Sánchez <danxuliu@gmail.com>
* chore(appframework)!: Drop ↵Christoph Wurst2023-06-121-17/+1
| | | | | | \OCP\AppFramework\Http\EmptyContentSecurityPolicy::allowInlineScript Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
* composer run cs:fixCôme Chilliet2023-01-201-1/+0
| | | | Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>
* Allow to set a strict-dynamic CSP through the APIJulius Härtl2022-03-091-0/+17
| | | | Signed-off-by: Julius Härtl <jus@bitgrid.net>
* Remove unused importsChristoph Wurst2020-03-251-1/+0
| | | | Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
* Mode to modern phpunitRoeland Jago Douma2019-11-271-1/+1
| | | | Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
* Make phpunit8 compatibleRoeland Jago Douma2019-11-271-1/+1
| | | | Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
* Some php-cs fixesRoeland Jago Douma2019-11-221-1/+0
| | | | | | | | | | | * Order the imports * No leading slash on imports * Empty line before namespace * One line per import * Empty after imports * Emmpty line at bottom of file Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
* Update CSP test cases to handle the new form-actionRoeland Jago Douma2019-07-311-58/+58
| | | | Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
* Set default frame-ancestors to 'self'Roeland Jago Douma2019-01-081-58/+58
| | | | | | For #13042 Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
* CSP: Allow fonts to be provided in dataRoeland Jago Douma2019-01-071-58/+58
| | | | Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
* Disallow unsafe-eval by defaultRoeland Jago Douma2018-10-141-56/+63
| | | | Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
* Add CSP frame-ancestors supportThomas Citharel2017-09-151-0/+41
| | | | | | Didn't set the @since annotation yet. Signed-off-by: Thomas Citharel <tcit@tcit.fr>
* Fix unit testsMorris Jobke2017-03-281-52/+52
| | | | Signed-off-by: Morris Jobke <hey@morrisjobke.de>
* Add base-uri to CSP policyLukas Reschke2017-03-161-52/+52
| | | | | | As per https://twitter.com/we1x/status/842032709543333890 a nice security hardening Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
* Move tests/ to PSR-4 (#24731)Joas Schilling2016-05-201-0/+429
* Move a-b to PSR-4 * Move c-d to PSR-4 * Move e+g to PSR-4 * Move h-l to PSR-4 * Move m-r to PSR-4 * Move s-u to PSR-4 * Move files/ to PSR-4 * Move remaining tests to PSR-4 * Remove Test\ from old autoloader
generated by cgit v1.2.3 (git 2.39.1) at 2025-04-30 19:21:43 +0000