EmptyContentSecurityPolicy

class OCP\AppFramework\Http\EmptyContentSecurityPolicy
Class EmptyContentSecurityPolicy is a simple helper which allows applications
to modify the Content-Security-Policy sent by ownCloud. Per default the policy
is forbidding everything.
As alternative with sane exemptions look at ContentSecurityPolicy
Source:lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php#40

Properties

protected static property OCP\AppFramework\Http\EmptyContentSecurityPolicy::$inlineScriptAllowed
Source:lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php#42
Type:bool Whether inline JS snippets are allowed
protected static property OCP\AppFramework\Http\EmptyContentSecurityPolicy::$useJsNonce
Source:lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php#44
Type:string Whether JS nonces should be used
protected static property OCP\AppFramework\Http\EmptyContentSecurityPolicy::$evalScriptAllowed
Source:lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php#50
Type:bool Whether eval in JS scripts is allowed TODO: Disallow per default
protected static property OCP\AppFramework\Http\EmptyContentSecurityPolicy::$allowedScriptDomains
Source:lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php#52
Type:array Domains from which scripts can get loaded
protected static property OCP\AppFramework\Http\EmptyContentSecurityPolicy::$inlineStyleAllowed
Source:lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php#58
Type:bool Whether inline CSS is allowed TODO: Disallow per default
protected static property OCP\AppFramework\Http\EmptyContentSecurityPolicy::$allowedStyleDomains
Source:lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php#60
Type:array Domains from which CSS can get loaded
protected static property OCP\AppFramework\Http\EmptyContentSecurityPolicy::$allowedImageDomains
Source:lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php#62
Type:array Domains from which images can get loaded
protected static property OCP\AppFramework\Http\EmptyContentSecurityPolicy::$allowedConnectDomains
Source:lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php#64
Type:array Domains to which connections can be done
protected static property OCP\AppFramework\Http\EmptyContentSecurityPolicy::$allowedMediaDomains
Source:lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php#66
Type:array Domains from which media elements can be loaded
protected static property OCP\AppFramework\Http\EmptyContentSecurityPolicy::$allowedObjectDomains
Source:lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php#68
Type:array Domains from which object elements can be loaded
protected static property OCP\AppFramework\Http\EmptyContentSecurityPolicy::$allowedFrameDomains
Source:lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php#70
Type:array Domains from which iframes can be loaded
protected static property OCP\AppFramework\Http\EmptyContentSecurityPolicy::$allowedFontDomains
Source:lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php#72
Type:array Domains from which fonts can be loaded
protected static property OCP\AppFramework\Http\EmptyContentSecurityPolicy::$allowedChildSrcDomains
Source:lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php#74
Type:array Domains from which web-workers and nested browsing content can load elements
protected static property OCP\AppFramework\Http\EmptyContentSecurityPolicy::$allowedFrameAncestors
Source:lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php#76
Type:array Domains which can embed this Nextcloud instance
protected static property OCP\AppFramework\Http\EmptyContentSecurityPolicy::$allowedWorkerSrcDomains
Source:lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php#78
Type:array Domains from which web-workers can be loaded
protected static property OCP\AppFramework\Http\EmptyContentSecurityPolicy::$allowedFormActionDomains
Source:lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php#80
Type:array Domains which can be used as target for forms
protected static property OCP\AppFramework\Http\EmptyContentSecurityPolicy::$reportTo
Source:lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php#83
Type:array Locations to report violations to

Methods

public OCP\AppFramework\Http\EmptyContentSecurityPolicy::allowInlineScript($state=false)
Whether inline JavaScript snippets are allowed or forbidden
Source:

lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php#92

Parameters:
  • $state (bool)
Returns:

$this

Since:

8.1.0

Deprecated:

10.0 CSP tokens are now used

public OCP\AppFramework\Http\EmptyContentSecurityPolicy::useJsNonce($nonce)
Use the according JS nonce
This method is only for CSPMiddleware, custom values are ignored in mergePolicies of ContentSecurityPolicyManager
Source:

lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php#105

Parameters:
  • $nonce (string)
Returns:

$this

Since:

11.0.0

public OCP\AppFramework\Http\EmptyContentSecurityPolicy::allowEvalScript($state=true)
Whether eval in JavaScript is allowed or forbidden
Source:

lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php#117

Parameters:
  • $state (bool)
Returns:

$this

Since:

8.1.0

Deprecated:

Eval should not be used anymore. Please update your scripts. This function will stop functioning in a future version of Nextcloud.

public OCP\AppFramework\Http\EmptyContentSecurityPolicy::addAllowedScriptDomain($domain)
Allows to execute JavaScript files from a specific domain. Use * to
allow JavaScript from all domains.
Source:

lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php#129

Parameters:
  • $domain (string) Domain to whitelist. Any passed value needs to be properly sanitized.
Returns:

$this

Since:

8.1.0

public OCP\AppFramework\Http\EmptyContentSecurityPolicy::disallowScriptDomain($domain)
Remove the specified allowed script domain from the allowed domains.
Source:

lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php#141

Parameters:
  • $domain (string)
Returns:

$this

Since:

8.1.0

public OCP\AppFramework\Http\EmptyContentSecurityPolicy::allowInlineStyle($state=true)
Whether inline CSS snippets are allowed or forbidden
Source:

lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php#152

Parameters:
  • $state (bool)
Returns:

$this

Since:

8.1.0

public OCP\AppFramework\Http\EmptyContentSecurityPolicy::addAllowedStyleDomain($domain)
Allows to execute CSS files from a specific domain. Use * to allow
CSS from all domains.
Source:

lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php#164

Parameters:
  • $domain (string) Domain to whitelist. Any passed value needs to be properly sanitized.
Returns:

$this

Since:

8.1.0

public OCP\AppFramework\Http\EmptyContentSecurityPolicy::disallowStyleDomain($domain)
Remove the specified allowed style domain from the allowed domains.
Source:

lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php#176

Parameters:
  • $domain (string)
Returns:

$this

Since:

8.1.0

public OCP\AppFramework\Http\EmptyContentSecurityPolicy::addAllowedFontDomain($domain)
Allows using fonts from a specific domain. Use * to allow
fonts from all domains.
Source:

lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php#188

Parameters:
  • $domain (string) Domain to whitelist. Any passed value needs to be properly sanitized.
Returns:

$this

Since:

8.1.0

public OCP\AppFramework\Http\EmptyContentSecurityPolicy::disallowFontDomain($domain)
Remove the specified allowed font domain from the allowed domains.
Source:

lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php#200

Parameters:
  • $domain (string)
Returns:

$this

Since:

8.1.0

public OCP\AppFramework\Http\EmptyContentSecurityPolicy::addAllowedImageDomain($domain)
Allows embedding images from a specific domain. Use * to allow
images from all domains.
Source:

lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php#212

Parameters:
  • $domain (string) Domain to whitelist. Any passed value needs to be properly sanitized.
Returns:

$this

Since:

8.1.0

public OCP\AppFramework\Http\EmptyContentSecurityPolicy::disallowImageDomain($domain)
Remove the specified allowed image domain from the allowed domains.
Source:

lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php#224

Parameters:
  • $domain (string)
Returns:

$this

Since:

8.1.0

public OCP\AppFramework\Http\EmptyContentSecurityPolicy::addAllowedConnectDomain($domain)
To which remote domains the JS connect to.
Source:

lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php#235

Parameters:
  • $domain (string) Domain to whitelist. Any passed value needs to be properly sanitized.
Returns:

$this

Since:

8.1.0

public OCP\AppFramework\Http\EmptyContentSecurityPolicy::disallowConnectDomain($domain)
Remove the specified allowed connect domain from the allowed domains.
Source:

lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php#247

Parameters:
  • $domain (string)
Returns:

$this

Since:

8.1.0

public OCP\AppFramework\Http\EmptyContentSecurityPolicy::addAllowedMediaDomain($domain)
From which domains media elements can be embedded.
Source:

lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php#258

Parameters:
  • $domain (string) Domain to whitelist. Any passed value needs to be properly sanitized.
Returns:

$this

Since:

8.1.0

public OCP\AppFramework\Http\EmptyContentSecurityPolicy::disallowMediaDomain($domain)
Remove the specified allowed media domain from the allowed domains.
Source:

lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php#270

Parameters:
  • $domain (string)
Returns:

$this

Since:

8.1.0

public OCP\AppFramework\Http\EmptyContentSecurityPolicy::addAllowedObjectDomain($domain)
From which domains objects such as <object>, <embed> or <applet> are executed
Source:

lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php#281

Parameters:
  • $domain (string) Domain to whitelist. Any passed value needs to be properly sanitized.
Returns:

$this

Since:

8.1.0

public OCP\AppFramework\Http\EmptyContentSecurityPolicy::disallowObjectDomain($domain)
Remove the specified allowed object domain from the allowed domains.
Source:

lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php#293

Parameters:
  • $domain (string)
Returns:

$this

Since:

8.1.0

public OCP\AppFramework\Http\EmptyContentSecurityPolicy::addAllowedFrameDomain($domain)
Which domains can be embedded in an iframe
Source:

lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php#304

Parameters:
  • $domain (string) Domain to whitelist. Any passed value needs to be properly sanitized.
Returns:

$this

Since:

8.1.0

public OCP\AppFramework\Http\EmptyContentSecurityPolicy::disallowFrameDomain($domain)
Remove the specified allowed frame domain from the allowed domains.
Source:

lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php#316

Parameters:
  • $domain (string)
Returns:

$this

Since:

8.1.0

public OCP\AppFramework\Http\EmptyContentSecurityPolicy::addAllowedChildSrcDomain($domain)
Domains from which web-workers and nested browsing content can load elements
Source:

lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php#328

Parameters:
  • $domain (string) Domain to whitelist. Any passed value needs to be properly sanitized.
Returns:

$this

Since:

8.1.0

Deprecated:

15.0.0 use addAllowedWorkerSrcDomains or addAllowedFrameDomain

public OCP\AppFramework\Http\EmptyContentSecurityPolicy::disallowChildSrcDomain($domain)
Remove the specified allowed child src domain from the allowed domains.
Source:

lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php#341

Parameters:
  • $domain (string)
Returns:

$this

Since:

8.1.0

Deprecated:

15.0.0 use the WorkerSrcDomains or FrameDomain

public OCP\AppFramework\Http\EmptyContentSecurityPolicy::addAllowedFrameAncestorDomain($domain)
Domains which can embed an iFrame of the Nextcloud instance
Source:

lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php#353

Parameters:
  • $domain (string)
Returns:

$this

Since:

13.0.0

public OCP\AppFramework\Http\EmptyContentSecurityPolicy::disallowFrameAncestorDomain($domain)
Domains which can embed an iFrame of the Nextcloud instance
Source:

lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php#365

Parameters:
  • $domain (string)
Returns:

$this

Since:

13.0.0

public OCP\AppFramework\Http\EmptyContentSecurityPolicy::addAllowedWorkerSrcDomain($domain)
Domain from which workers can be loaded
Source:

lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php#377

Parameters:
  • $domain (string)
Returns:

$this

Since:

15.0.0

public OCP\AppFramework\Http\EmptyContentSecurityPolicy::disallowWorkerSrcDomain($domain)
Remove domain from which workers can be loaded
Source:

lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php#389

Parameters:
  • $domain (string)
Returns:

$this

Since:

15.0.0

public OCP\AppFramework\Http\EmptyContentSecurityPolicy::addAllowedFormActionDomain($domain)
Domain to where forms can submit
Source:lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php#401
Since:17.0.0
Returns:$this
public OCP\AppFramework\Http\EmptyContentSecurityPolicy::disallowFormActionDomain($domain)
Remove domain to where forms can submit
Source:lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php#412
Returns:$this
Since:17.0.0
public OCP\AppFramework\Http\EmptyContentSecurityPolicy::addReportTo($location)
Add location to report CSP violations to
Source:

lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php#424

Parameters:
  • $location (string)
Returns:

$this

Since:

15.0.0

public OCP\AppFramework\Http\EmptyContentSecurityPolicy::buildPolicy()
Get the generated Content-Security-Policy as a string
Source:lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php#434
Returns:string
Since:8.1.0