1
0

StrictContentSecurityPolicy.php 2.4 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970
  1. <?php
  2. declare(strict_types=1);
  3. /**
  4. * SPDX-FileCopyrightText: 2018 Nextcloud GmbH and Nextcloud contributors
  5. * SPDX-License-Identifier: AGPL-3.0-or-later
  6. */
  7. namespace OCP\AppFramework\Http;
  8. /**
  9. * Class StrictContentSecurityPolicy is a simple helper which allows applications to
  10. * modify the Content-Security-Policy sent by Nextcloud. Per default only JavaScript,
  11. * stylesheets, images, fonts, media and connections from the same domain
  12. * ('self') are allowed.
  13. *
  14. * Even if a value gets modified above defaults will still get appended. Please
  15. * note that Nextcloud ships already with sensible defaults and those policies
  16. * should require no modification at all for most use-cases.
  17. *
  18. * This class represents out strictest defaults. They may get change from release
  19. * to release if more strict CSP directives become available.
  20. *
  21. * @since 14.0.0
  22. * @deprecated 17.0.0
  23. */
  24. class StrictContentSecurityPolicy extends EmptyContentSecurityPolicy {
  25. /** @var bool Whether inline JS snippets are allowed */
  26. protected $inlineScriptAllowed = false;
  27. /** @var bool Whether eval in JS scripts is allowed */
  28. protected $evalScriptAllowed = false;
  29. /** @var bool Whether WebAssembly compilation is allowed */
  30. protected ?bool $evalWasmAllowed = false;
  31. /** @var array Domains from which scripts can get loaded */
  32. protected $allowedScriptDomains = [
  33. '\'self\'',
  34. ];
  35. /** @var bool Whether inline CSS is allowed */
  36. protected $inlineStyleAllowed = false;
  37. /** @var array Domains from which CSS can get loaded */
  38. protected $allowedStyleDomains = [
  39. '\'self\'',
  40. ];
  41. /** @var array Domains from which images can get loaded */
  42. protected $allowedImageDomains = [
  43. '\'self\'',
  44. 'data:',
  45. 'blob:',
  46. ];
  47. /** @var array Domains to which connections can be done */
  48. protected $allowedConnectDomains = [
  49. '\'self\'',
  50. ];
  51. /** @var array Domains from which media elements can be loaded */
  52. protected $allowedMediaDomains = [
  53. '\'self\'',
  54. ];
  55. /** @var array Domains from which object elements can be loaded */
  56. protected $allowedObjectDomains = [];
  57. /** @var array Domains from which iframes can be loaded */
  58. protected $allowedFrameDomains = [];
  59. /** @var array Domains from which fonts can be loaded */
  60. protected $allowedFontDomains = [
  61. '\'self\'',
  62. ];
  63. /** @var array Domains from which web-workers and nested browsing content can load elements */
  64. protected $allowedChildSrcDomains = [];
  65. /** @var array Domains which can embed this Nextcloud instance */
  66. protected $allowedFrameAncestors = [];
  67. }