StrictContentSecurityPolicy.php 3.1 KB

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586
  1. <?php
  2. declare(strict_types=1);
  3. /**
  4. * @copyright 2018, Roeland Jago Douma <roeland@famdouma.nl>
  5. *
  6. * @author Roeland Jago Douma <roeland@famdouma.nl>
  7. *
  8. * @license GNU AGPL version 3 or any later version
  9. *
  10. * This program is free software: you can redistribute it and/or modify
  11. * it under the terms of the GNU Affero General Public License as
  12. * published by the Free Software Foundation, either version 3 of the
  13. * License, or (at your option) any later version.
  14. *
  15. * This program is distributed in the hope that it will be useful,
  16. * but WITHOUT ANY WARRANTY; without even the implied warranty of
  17. * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  18. * GNU Affero General Public License for more details.
  19. *
  20. * You should have received a copy of the GNU Affero General Public License
  21. * along with this program. If not, see <http://www.gnu.org/licenses/>.
  22. *
  23. */
  24. namespace OCP\AppFramework\Http;
  25. /**
  26. * Class StrictContentSecurityPolicy is a simple helper which allows applications to
  27. * modify the Content-Security-Policy sent by Nextcloud. Per default only JavaScript,
  28. * stylesheets, images, fonts, media and connections from the same domain
  29. * ('self') are allowed.
  30. *
  31. * Even if a value gets modified above defaults will still get appended. Please
  32. * notice that Nextcloud ships already with sensible defaults and those policies
  33. * should require no modification at all for most use-cases.
  34. *
  35. * This class represents out strictest defaults. They may get change from release
  36. * to release if more strict CSP directives become available.
  37. *
  38. * @since 14.0.0
  39. * @deprecated 17.0.0
  40. */
  41. class StrictContentSecurityPolicy extends EmptyContentSecurityPolicy {
  42. /** @var bool Whether inline JS snippets are allowed */
  43. protected $inlineScriptAllowed = false;
  44. /** @var bool Whether eval in JS scripts is allowed */
  45. protected $evalScriptAllowed = false;
  46. /** @var array Domains from which scripts can get loaded */
  47. protected $allowedScriptDomains = [
  48. '\'self\'',
  49. ];
  50. /** @var bool Whether inline CSS is allowed */
  51. protected $inlineStyleAllowed = false;
  52. /** @var array Domains from which CSS can get loaded */
  53. protected $allowedStyleDomains = [
  54. '\'self\'',
  55. ];
  56. /** @var array Domains from which images can get loaded */
  57. protected $allowedImageDomains = [
  58. '\'self\'',
  59. 'data:',
  60. 'blob:',
  61. ];
  62. /** @var array Domains to which connections can be done */
  63. protected $allowedConnectDomains = [
  64. '\'self\'',
  65. ];
  66. /** @var array Domains from which media elements can be loaded */
  67. protected $allowedMediaDomains = [
  68. '\'self\'',
  69. ];
  70. /** @var array Domains from which object elements can be loaded */
  71. protected $allowedObjectDomains = [];
  72. /** @var array Domains from which iframes can be loaded */
  73. protected $allowedFrameDomains = [];
  74. /** @var array Domains from which fonts can be loaded */
  75. protected $allowedFontDomains = [
  76. '\'self\'',
  77. ];
  78. /** @var array Domains from which web-workers and nested browsing content can load elements */
  79. protected $allowedChildSrcDomains = [];
  80. /** @var array Domains which can embed this Nextcloud instance */
  81. protected $allowedFrameAncestors = [];
  82. }