* @author Lukas Reschke * @author Pavel Krasikov * @author Pierre Rudloff * @author Roeland Jago Douma * @author Thomas Citharel * * @license AGPL-3.0 * * This code is free software: you can redistribute it and/or modify * it under the terms of the GNU Affero General Public License, version 3, * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU Affero General Public License for more details. * * You should have received a copy of the GNU Affero General Public License, version 3, * along with this program. If not, see * */ namespace OCP\AppFramework\Http; /** * Class EmptyContentSecurityPolicy is a simple helper which allows applications * to modify the Content-Security-Policy sent by Nexcloud. Per default the policy * is forbidding everything. * * As alternative with sane exemptions look at ContentSecurityPolicy * * @see \OCP\AppFramework\Http\ContentSecurityPolicy * @since 9.0.0 */ class EmptyContentSecurityPolicy { /** @var ?string JS nonce to be used */ protected ?string $jsNonce = null; /** @var bool Whether strict-dynamic should be used */ protected $strictDynamicAllowed = null; /** @var bool Whether strict-dynamic should be used on script-src-elem */ protected $strictDynamicAllowedOnScripts = null; /** * @var bool Whether eval in JS scripts is allowed * TODO: Disallow per default * @link https://github.com/owncloud/core/issues/11925 */ protected $evalScriptAllowed = null; /** @var bool Whether WebAssembly compilation is allowed */ protected ?bool $evalWasmAllowed = null; /** @var array Domains from which scripts can get loaded */ protected $allowedScriptDomains = null; /** * @var bool Whether inline CSS is allowed * TODO: Disallow per default * @link https://github.com/owncloud/core/issues/13458 */ protected $inlineStyleAllowed = null; /** @var array Domains from which CSS can get loaded */ protected $allowedStyleDomains = null; /** @var array Domains from which images can get loaded */ protected $allowedImageDomains = null; /** @var array Domains to which connections can be done */ protected $allowedConnectDomains = null; /** @var array Domains from which media elements can be loaded */ protected $allowedMediaDomains = null; /** @var array Domains from which object elements can be loaded */ protected $allowedObjectDomains = null; /** @var array Domains from which iframes can be loaded */ protected $allowedFrameDomains = null; /** @var array Domains from which fonts can be loaded */ protected $allowedFontDomains = null; /** @var array Domains from which web-workers and nested browsing content can load elements */ protected $allowedChildSrcDomains = null; /** @var array Domains which can embed this Nextcloud instance */ protected $allowedFrameAncestors = null; /** @var array Domains from which web-workers can be loaded */ protected $allowedWorkerSrcDomains = null; /** @var array Domains which can be used as target for forms */ protected $allowedFormActionDomains = null; /** @var array Locations to report violations to */ protected $reportTo = null; /** * @param bool $state * @return EmptyContentSecurityPolicy * @since 24.0.0 */ public function useStrictDynamic(bool $state = false): self { $this->strictDynamicAllowed = $state; return $this; } /** * In contrast to `useStrictDynamic` this only sets strict-dynamic on script-src-elem * Meaning only grants trust to all imports of scripts that were loaded in `