1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586 |
- <?php
- declare(strict_types=1);
- /**
- * @copyright 2018, Roeland Jago Douma <roeland@famdouma.nl>
- *
- * @author Roeland Jago Douma <roeland@famdouma.nl>
- *
- * @license GNU AGPL version 3 or any later version
- *
- * This program is free software: you can redistribute it and/or modify
- * it under the terms of the GNU Affero General Public License as
- * published by the Free Software Foundation, either version 3 of the
- * License, or (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU Affero General Public License for more details.
- *
- * You should have received a copy of the GNU Affero General Public License
- * along with this program. If not, see <http://www.gnu.org/licenses/>.
- *
- */
- namespace OCP\AppFramework\Http;
- /**
- * Class StrictContentSecurityPolicy is a simple helper which allows applications to
- * modify the Content-Security-Policy sent by Nextcloud. Per default only JavaScript,
- * stylesheets, images, fonts, media and connections from the same domain
- * ('self') are allowed.
- *
- * Even if a value gets modified above defaults will still get appended. Please
- * notice that Nextcloud ships already with sensible defaults and those policies
- * should require no modification at all for most use-cases.
- *
- * This class represents out strictest defaults. They may get change from release
- * to release if more strict CSP directives become available.
- *
- * @since 14.0.0
- * @deprecated 17.0.0
- */
- class StrictContentSecurityPolicy extends EmptyContentSecurityPolicy {
- /** @var bool Whether inline JS snippets are allowed */
- protected $inlineScriptAllowed = false;
- /** @var bool Whether eval in JS scripts is allowed */
- protected $evalScriptAllowed = false;
- /** @var array Domains from which scripts can get loaded */
- protected $allowedScriptDomains = [
- '\'self\'',
- ];
- /** @var bool Whether inline CSS is allowed */
- protected $inlineStyleAllowed = false;
- /** @var array Domains from which CSS can get loaded */
- protected $allowedStyleDomains = [
- '\'self\'',
- ];
- /** @var array Domains from which images can get loaded */
- protected $allowedImageDomains = [
- '\'self\'',
- 'data:',
- 'blob:',
- ];
- /** @var array Domains to which connections can be done */
- protected $allowedConnectDomains = [
- '\'self\'',
- ];
- /** @var array Domains from which media elements can be loaded */
- protected $allowedMediaDomains = [
- '\'self\'',
- ];
- /** @var array Domains from which object elements can be loaded */
- protected $allowedObjectDomains = [];
- /** @var array Domains from which iframes can be loaded */
- protected $allowedFrameDomains = [];
- /** @var array Domains from which fonts can be loaded */
- protected $allowedFontDomains = [
- '\'self\'',
- ];
- /** @var array Domains from which web-workers and nested browsing content can load elements */
- protected $allowedChildSrcDomains = [];
- /** @var array Domains which can embed this Nextcloud instance */
- protected $allowedFrameAncestors = [];
- }
|