centersl/nextcloud-docs
1
0
Fork 0
mirror of https://github.com/nextcloud/documentation.git synced 2026-04-12 06:09:39 +07:00
Code Issues Packages Projects Releases Wiki Activity

fix #876

Browse Source
This commit is contained in:
Bernhard Posselt
2015-04-27 13:51:53 +02:00
parent 3d0fb2e668
commit bf0af61147
1 changed files with 53 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

53
developer_manual/app/controllers.rst
View File

@@ -526,6 +526,59 @@ If you want to use a custom, lazily rendered response simply implement the inter
.. note:: Because this code is rendered after several usually built in helpers, you need to take care of errors and proper HTTP caching by yourself.
Modifying the Content Securicy Policy
-------------------------------------
.. versionadded:: 8.1
By default ownCloud disables all resources which are not served on the same domain, forbids cross domain requests and disables inline CSS and JavaScript by setting a `Content Security Policy <https://developer.mozilla.org/en-US/docs/Web/Security/CSP/Introducing_Content_Security_Policy>`_. However if an app relies on thirdparty media or other features which are forbidden by the current policy the policy can be relaxed.
.. note:: Double check your content and edge cases before you relax the policy! Also read the `documentation provided by MDN <https://developer.mozilla.org/en-US/docs/Web/Security/CSP/Introducing_Content_Security_Policy>`_
To relax the policy pass an instance of the ContentSecurityPolicy class to your response. The methods on the class can be chained.
The following methods turn off security features by passing in **true** as the **$isAllowed** parameter
* **allowInlineScript** (bool $isAllowed)
* **allowInlineStyle** (bool $isAllowed)
* **allowEvalScript** (bool $isAllowed)
The following methods whitelist domains by passing in a domain or \* for any domain:
* **addAllowedScriptDomain** (string $domain)
* **addAllowedStyleDomain** (string $domain)
* **addAllowedFontDomain** (string $domain)
* **addAllowedImageDomain** (string $domain)
* **addAllowedConnectDomain** (string $domain)
* **addAllowedMediaDomain** (string $domain)
* **addAllowedObjectDomain** (string $domain)
* **addAllowedFrameDomain** (string $domain)
* **addAllowedChildSrcDomain** (string $domain)
The following policy for instance allows images, audio and videos from other domains:
.. code-block:: php
<?php
namespace OCA\MyApp\Controller;
use OCP\AppFramework\Controller;
use OCP\AppFramework\Http\TemplateResponse;
use OCP\AppFramework\Http\ContentSecurityPolicy;
class PageController extends Controller {
public function index() {
$response = new TemplateResponse('myapp', 'main');
$csp = new ContentSecurityPolicy();
$csp->addAllowedImageDomain('*');
->addAllowedMediaDomain('*');
$response->setContentSecurityPolicy($csp);
}
}
OCS
---
.. versionadded:: 8.1