From b38fa573e1fd7c05a76cae642eef6f388219df16 Mon Sep 17 00:00:00 2001 From: Roeland Jago Douma Date: Tue, 12 Jun 2018 22:34:58 +0200 Subject: Add stricter CSPs * Deprecate our default CSP * Add strict CSP that is always our strictest setting * Add strict eval CSP (disable unsafe-eval) * Add strict inline CSP (disables inline styles) This is just to move forward and have a incremental improvement of our CSP Signed-off-by: Roeland Jago Douma --- lib/public/AppFramework/Http/ContentSecurityPolicy.php | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) (limited to 'lib/public/AppFramework/Http/ContentSecurityPolicy.php') diff --git a/lib/public/AppFramework/Http/ContentSecurityPolicy.php b/lib/public/AppFramework/Http/ContentSecurityPolicy.php index 9438c6ead61..c705955bb8a 100644 --- a/lib/public/AppFramework/Http/ContentSecurityPolicy.php +++ b/lib/public/AppFramework/Http/ContentSecurityPolicy.php @@ -27,16 +27,19 @@ namespace OCP\AppFramework\Http; /** * Class ContentSecurityPolicy is a simple helper which allows applications to - * modify the Content-Security-Policy sent by ownCloud. Per default only JavaScript, + * modify the Content-Security-Policy sent by Nextcloud. Per default only JavaScript, * stylesheets, images, fonts, media and connections from the same domain * ('self') are allowed. * * Even if a value gets modified above defaults will still get appended. Please - * notice that ownCloud ships already with sensible defaults and those policies + * notice that Nextcloud ships already with sensible defaults and those policies * should require no modification at all for most use-cases. * + * This class allows unsafe-eval of javascript and unsafe-inline of CSS. + * * @package OCP\AppFramework\Http * @since 8.1.0 + * @deprecated 14.0.0 Use one of our stricter CSP policies */ class ContentSecurityPolicy extends EmptyContentSecurityPolicy { /** @var bool Whether inline JS snippets are allowed */ -- cgit v1.2.3