StrictContentSecurityPolicy.php 3.2 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788
  1. <?php
  2. declare(strict_types=1);
  3. /**
  4. * @copyright 2018, Roeland Jago Douma <roeland@famdouma.nl>
  5. *
  6. * @author Roeland Jago Douma <roeland@famdouma.nl>
  7. *
  8. * @license GNU AGPL version 3 or any later version
  9. *
  10. * This program is free software: you can redistribute it and/or modify
  11. * it under the terms of the GNU Affero General Public License as
  12. * published by the Free Software Foundation, either version 3 of the
  13. * License, or (at your option) any later version.
  14. *
  15. * This program is distributed in the hope that it will be useful,
  16. * but WITHOUT ANY WARRANTY; without even the implied warranty of
  17. * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  18. * GNU Affero General Public License for more details.
  19. *
  20. * You should have received a copy of the GNU Affero General Public License
  21. * along with this program. If not, see <http://www.gnu.org/licenses/>.
  22. *
  23. */
  24. namespace OCP\AppFramework\Http;
  25. /**
  26. * Class StrictContentSecurityPolicy is a simple helper which allows applications to
  27. * modify the Content-Security-Policy sent by Nextcloud. Per default only JavaScript,
  28. * stylesheets, images, fonts, media and connections from the same domain
  29. * ('self') are allowed.
  30. *
  31. * Even if a value gets modified above defaults will still get appended. Please
  32. * note that Nextcloud ships already with sensible defaults and those policies
  33. * should require no modification at all for most use-cases.
  34. *
  35. * This class represents out strictest defaults. They may get change from release
  36. * to release if more strict CSP directives become available.
  37. *
  38. * @since 14.0.0
  39. * @deprecated 17.0.0
  40. */
  41. class StrictContentSecurityPolicy extends EmptyContentSecurityPolicy {
  42. /** @var bool Whether inline JS snippets are allowed */
  43. protected $inlineScriptAllowed = false;
  44. /** @var bool Whether eval in JS scripts is allowed */
  45. protected $evalScriptAllowed = false;
  46. /** @var bool Whether WebAssembly compilation is allowed */
  47. protected ?bool $evalWasmAllowed = false;
  48. /** @var array Domains from which scripts can get loaded */
  49. protected $allowedScriptDomains = [
  50. '\'self\'',
  51. ];
  52. /** @var bool Whether inline CSS is allowed */
  53. protected $inlineStyleAllowed = false;
  54. /** @var array Domains from which CSS can get loaded */
  55. protected $allowedStyleDomains = [
  56. '\'self\'',
  57. ];
  58. /** @var array Domains from which images can get loaded */
  59. protected $allowedImageDomains = [
  60. '\'self\'',
  61. 'data:',
  62. 'blob:',
  63. ];
  64. /** @var array Domains to which connections can be done */
  65. protected $allowedConnectDomains = [
  66. '\'self\'',
  67. ];
  68. /** @var array Domains from which media elements can be loaded */
  69. protected $allowedMediaDomains = [
  70. '\'self\'',
  71. ];
  72. /** @var array Domains from which object elements can be loaded */
  73. protected $allowedObjectDomains = [];
  74. /** @var array Domains from which iframes can be loaded */
  75. protected $allowedFrameDomains = [];
  76. /** @var array Domains from which fonts can be loaded */
  77. protected $allowedFontDomains = [
  78. '\'self\'',
  79. ];
  80. /** @var array Domains from which web-workers and nested browsing content can load elements */
  81. protected $allowedChildSrcDomains = [];
  82. /** @var array Domains which can embed this Nextcloud instance */
  83. protected $allowedFrameAncestors = [];
  84. }