EmptyContentSecurityPolicy¶
-
class
OCP\AppFramework\Http\
EmptyContentSecurityPolicy
¶ - Class EmptyContentSecurityPolicy is a simple helper which allows applicationsto modify the Content-Security-Policy sent by ownCloud. Per default the policyis forbidding everything.As alternative with sane exemptions look at ContentSecurityPolicy
Source: lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php#40
Properties¶
-
protected static property
OCP\AppFramework\Http\EmptyContentSecurityPolicy::$
inlineScriptAllowed
¶ Source: lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php#42 Type: bool Whether inline JS snippets are allowed
-
protected static property
OCP\AppFramework\Http\EmptyContentSecurityPolicy::$
useJsNonce
¶ Source: lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php#44 Type: string Whether JS nonces should be used
-
protected static property
OCP\AppFramework\Http\EmptyContentSecurityPolicy::$
evalScriptAllowed
¶ Source: lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php#50 Type: bool Whether eval in JS scripts is allowed TODO: Disallow per default
-
protected static property
OCP\AppFramework\Http\EmptyContentSecurityPolicy::$
allowedScriptDomains
¶ Source: lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php#52 Type: array Domains from which scripts can get loaded
-
protected static property
OCP\AppFramework\Http\EmptyContentSecurityPolicy::$
inlineStyleAllowed
¶ Source: lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php#58 Type: bool Whether inline CSS is allowed TODO: Disallow per default
-
protected static property
OCP\AppFramework\Http\EmptyContentSecurityPolicy::$
allowedStyleDomains
¶ Source: lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php#60 Type: array Domains from which CSS can get loaded
-
protected static property
OCP\AppFramework\Http\EmptyContentSecurityPolicy::$
allowedImageDomains
¶ Source: lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php#62 Type: array Domains from which images can get loaded
-
protected static property
OCP\AppFramework\Http\EmptyContentSecurityPolicy::$
allowedConnectDomains
¶ Source: lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php#64 Type: array Domains to which connections can be done
-
protected static property
OCP\AppFramework\Http\EmptyContentSecurityPolicy::$
allowedMediaDomains
¶ Source: lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php#66 Type: array Domains from which media elements can be loaded
-
protected static property
OCP\AppFramework\Http\EmptyContentSecurityPolicy::$
allowedObjectDomains
¶ Source: lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php#68 Type: array Domains from which object elements can be loaded
-
protected static property
OCP\AppFramework\Http\EmptyContentSecurityPolicy::$
allowedFrameDomains
¶ Source: lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php#70 Type: array Domains from which iframes can be loaded
-
protected static property
OCP\AppFramework\Http\EmptyContentSecurityPolicy::$
allowedFontDomains
¶ Source: lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php#72 Type: array Domains from which fonts can be loaded
-
protected static property
OCP\AppFramework\Http\EmptyContentSecurityPolicy::$
allowedChildSrcDomains
¶ Source: lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php#74 Type: array Domains from which web-workers and nested browsing content can load elements
-
protected static property
OCP\AppFramework\Http\EmptyContentSecurityPolicy::$
allowedFrameAncestors
¶ Source: lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php#76 Type: array Domains which can embed this Nextcloud instance
-
protected static property
OCP\AppFramework\Http\EmptyContentSecurityPolicy::$
allowedWorkerSrcDomains
¶ Source: lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php#78 Type: array Domains from which web-workers can be loaded
-
protected static property
OCP\AppFramework\Http\EmptyContentSecurityPolicy::$
allowedFormActionDomains
¶ Source: lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php#80 Type: array Domains which can be used as target for forms
-
protected static property
OCP\AppFramework\Http\EmptyContentSecurityPolicy::$
reportTo
¶ Source: lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php#83 Type: array Locations to report violations to
Methods¶
-
public
OCP\AppFramework\Http\EmptyContentSecurityPolicy::
allowInlineScript
($state=false)¶ - Whether inline JavaScript snippets are allowed or forbidden
Source: lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php#92
Parameters: - $state (bool)
Returns: $this
Since: 8.1.0
Deprecated: 10.0 CSP tokens are now used
-
public
OCP\AppFramework\Http\EmptyContentSecurityPolicy::
useJsNonce
($nonce)¶ - Use the according JS nonceThis method is only for CSPMiddleware, custom values are ignored in mergePolicies of ContentSecurityPolicyManager
Source: lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php#105
Parameters: - $nonce (string)
Returns: $this
Since: 11.0.0
-
public
OCP\AppFramework\Http\EmptyContentSecurityPolicy::
allowEvalScript
($state=true)¶ - Whether eval in JavaScript is allowed or forbidden
Source: lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php#117
Parameters: - $state (bool)
Returns: $this
Since: 8.1.0
Deprecated: Eval should not be used anymore. Please update your scripts. This function will stop functioning in a future version of Nextcloud.
-
public
OCP\AppFramework\Http\EmptyContentSecurityPolicy::
addAllowedScriptDomain
($domain)¶ - Allows to execute JavaScript files from a specific domain. Use * toallow JavaScript from all domains.
Source: lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php#129
Parameters: - $domain (string) Domain to whitelist. Any passed value needs to be properly sanitized.
Returns: $this
Since: 8.1.0
-
public
OCP\AppFramework\Http\EmptyContentSecurityPolicy::
disallowScriptDomain
($domain)¶ - Remove the specified allowed script domain from the allowed domains.
Source: lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php#141
Parameters: - $domain (string)
Returns: $this
Since: 8.1.0
-
public
OCP\AppFramework\Http\EmptyContentSecurityPolicy::
allowInlineStyle
($state=true)¶ - Whether inline CSS snippets are allowed or forbidden
Source: lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php#152
Parameters: - $state (bool)
Returns: $this
Since: 8.1.0
-
public
OCP\AppFramework\Http\EmptyContentSecurityPolicy::
addAllowedStyleDomain
($domain)¶ - Allows to execute CSS files from a specific domain. Use * to allowCSS from all domains.
Source: lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php#164
Parameters: - $domain (string) Domain to whitelist. Any passed value needs to be properly sanitized.
Returns: $this
Since: 8.1.0
-
public
OCP\AppFramework\Http\EmptyContentSecurityPolicy::
disallowStyleDomain
($domain)¶ - Remove the specified allowed style domain from the allowed domains.
Source: lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php#176
Parameters: - $domain (string)
Returns: $this
Since: 8.1.0
-
public
OCP\AppFramework\Http\EmptyContentSecurityPolicy::
addAllowedFontDomain
($domain)¶ - Allows using fonts from a specific domain. Use * to allowfonts from all domains.
Source: lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php#188
Parameters: - $domain (string) Domain to whitelist. Any passed value needs to be properly sanitized.
Returns: $this
Since: 8.1.0
-
public
OCP\AppFramework\Http\EmptyContentSecurityPolicy::
disallowFontDomain
($domain)¶ - Remove the specified allowed font domain from the allowed domains.
Source: lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php#200
Parameters: - $domain (string)
Returns: $this
Since: 8.1.0
-
public
OCP\AppFramework\Http\EmptyContentSecurityPolicy::
addAllowedImageDomain
($domain)¶ - Allows embedding images from a specific domain. Use * to allowimages from all domains.
Source: lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php#212
Parameters: - $domain (string) Domain to whitelist. Any passed value needs to be properly sanitized.
Returns: $this
Since: 8.1.0
-
public
OCP\AppFramework\Http\EmptyContentSecurityPolicy::
disallowImageDomain
($domain)¶ - Remove the specified allowed image domain from the allowed domains.
Source: lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php#224
Parameters: - $domain (string)
Returns: $this
Since: 8.1.0
-
public
OCP\AppFramework\Http\EmptyContentSecurityPolicy::
addAllowedConnectDomain
($domain)¶ - To which remote domains the JS connect to.
Source: lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php#235
Parameters: - $domain (string) Domain to whitelist. Any passed value needs to be properly sanitized.
Returns: $this
Since: 8.1.0
-
public
OCP\AppFramework\Http\EmptyContentSecurityPolicy::
disallowConnectDomain
($domain)¶ - Remove the specified allowed connect domain from the allowed domains.
Source: lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php#247
Parameters: - $domain (string)
Returns: $this
Since: 8.1.0
-
public
OCP\AppFramework\Http\EmptyContentSecurityPolicy::
addAllowedMediaDomain
($domain)¶ - From which domains media elements can be embedded.
Source: lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php#258
Parameters: - $domain (string) Domain to whitelist. Any passed value needs to be properly sanitized.
Returns: $this
Since: 8.1.0
-
public
OCP\AppFramework\Http\EmptyContentSecurityPolicy::
disallowMediaDomain
($domain)¶ - Remove the specified allowed media domain from the allowed domains.
Source: lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php#270
Parameters: - $domain (string)
Returns: $this
Since: 8.1.0
-
public
OCP\AppFramework\Http\EmptyContentSecurityPolicy::
addAllowedObjectDomain
($domain)¶ - From which domains objects such as <object>, <embed> or <applet> are executed
Source: lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php#281
Parameters: - $domain (string) Domain to whitelist. Any passed value needs to be properly sanitized.
Returns: $this
Since: 8.1.0
-
public
OCP\AppFramework\Http\EmptyContentSecurityPolicy::
disallowObjectDomain
($domain)¶ - Remove the specified allowed object domain from the allowed domains.
Source: lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php#293
Parameters: - $domain (string)
Returns: $this
Since: 8.1.0
-
public
OCP\AppFramework\Http\EmptyContentSecurityPolicy::
addAllowedFrameDomain
($domain)¶ - Which domains can be embedded in an iframe
Source: lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php#304
Parameters: - $domain (string) Domain to whitelist. Any passed value needs to be properly sanitized.
Returns: $this
Since: 8.1.0
-
public
OCP\AppFramework\Http\EmptyContentSecurityPolicy::
disallowFrameDomain
($domain)¶ - Remove the specified allowed frame domain from the allowed domains.
Source: lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php#316
Parameters: - $domain (string)
Returns: $this
Since: 8.1.0
-
public
OCP\AppFramework\Http\EmptyContentSecurityPolicy::
addAllowedChildSrcDomain
($domain)¶ - Domains from which web-workers and nested browsing content can load elements
Source: lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php#328
Parameters: - $domain (string) Domain to whitelist. Any passed value needs to be properly sanitized.
Returns: $this
Since: 8.1.0
Deprecated: 15.0.0 use addAllowedWorkerSrcDomains or addAllowedFrameDomain
-
public
OCP\AppFramework\Http\EmptyContentSecurityPolicy::
disallowChildSrcDomain
($domain)¶ - Remove the specified allowed child src domain from the allowed domains.
Source: lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php#341
Parameters: - $domain (string)
Returns: $this
Since: 8.1.0
Deprecated: 15.0.0 use the WorkerSrcDomains or FrameDomain
-
public
OCP\AppFramework\Http\EmptyContentSecurityPolicy::
addAllowedFrameAncestorDomain
($domain)¶ - Domains which can embed an iFrame of the Nextcloud instance
Source: lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php#353
Parameters: - $domain (string)
Returns: $this
Since: 13.0.0
-
public
OCP\AppFramework\Http\EmptyContentSecurityPolicy::
disallowFrameAncestorDomain
($domain)¶ - Domains which can embed an iFrame of the Nextcloud instance
Source: lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php#365
Parameters: - $domain (string)
Returns: $this
Since: 13.0.0
-
public
OCP\AppFramework\Http\EmptyContentSecurityPolicy::
addAllowedWorkerSrcDomain
($domain)¶ - Domain from which workers can be loaded
Source: lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php#377
Parameters: - $domain (string)
Returns: $this
Since: 15.0.0
-
public
OCP\AppFramework\Http\EmptyContentSecurityPolicy::
disallowWorkerSrcDomain
($domain)¶ - Remove domain from which workers can be loaded
Source: lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php#389
Parameters: - $domain (string)
Returns: $this
Since: 15.0.0
-
public
OCP\AppFramework\Http\EmptyContentSecurityPolicy::
addAllowedFormActionDomain
($domain)¶ - Domain to where forms can submit
Source: lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php#401 Since: 17.0.0 Returns: $this
-
public
OCP\AppFramework\Http\EmptyContentSecurityPolicy::
disallowFormActionDomain
($domain)¶ - Remove domain to where forms can submit
Source: lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php#412 Returns: $this Since: 17.0.0
-
public
OCP\AppFramework\Http\EmptyContentSecurityPolicy::
addReportTo
($location)¶ - Add location to report CSP violations to
Source: lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php#424
Parameters: - $location (string)
Returns: $this
Since: 15.0.0
-
public
OCP\AppFramework\Http\EmptyContentSecurityPolicy::
buildPolicy
()¶ - Get the generated Content-Security-Policy as a string
Source: lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php#434 Returns: string Since: 8.1.0