khanh.pndc/nextcloud-docs
1
0
Fork 0
mirror of https://github.com/nextcloud/documentation.git synced 2026-01-02 17:59:36 +07:00
Code Issues Packages Projects Releases Wiki Activity

chore(developer): Add upgrade hint about CSP nonce

Browse Source 
Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
This commit is contained in:
Ferdinand Thiessen
2024-08-13 18:51:55 +02:00
parent 4d15a995a0
commit 7dffe2bd53
2 changed files with 27 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
developer_manual/app_publishing_maintenance/app_upgrade_guide/upgrade_to_30.rst
View File

@@ -77,6 +77,30 @@ The border radius CSS variables have been refactored:
- ``--border-radius-pill`` is deprecated now in favor of ``--border-radius-element``.
- ``--border-radius-rounded`` is deprecated now in favor of ``--border-radius-container``.
CSP Nonce
^^^^^^^^^
A bug was fixed that prevented Nextcloud form using the ``CSP_NONCE`` environment variable,
this now means that the CSP nonce for JavaScript assets is no longer (guaranteed to be) based on the CSRF token.
Instead administrators can choose to use a differently generated token.
When using JavaScript modules this does not make a difference, as they are imported and the nonce has only to be set on the root module (done by Nextcloud),
but if you are using Webpack or otherwise dynamically load scripts, you now need adjust the CSP nonce handling.
Get the CSP nonce:
- Either use ``getCSPNonce`` from the ``@nextcloud/auth`` :ref:`package<js-library_nextcloud-auth>`, which is also backwards compatible.
- Or directly read the nonce from the ``<meta name="csp-nonce" />`` tag.
When using Webpack:
.. code-block:: diff
- import { getRequestToken } from '@nextcloud/auth'
- __webpack_nonce__ = btoa(getRequestToken())
+ import { getCSPNonce } from '@nextcloud/auth'
+ __webpack_nonce__ = getCSPNonce()
Added APIs
^^^^^^^^^^

3
developer_manual/digging_deeper/javascript-apis.rst
View File

@@ -35,6 +35,7 @@ Development
Most packages are written in TypeScript in order to generate better API docs automatically but also to ensure compatibility with Nextcloud server in a programmatic way. The server is typed in `a dedicated npm package <https://www.npmjs.com/package/@nextcloud/typings>`_ that is used to check type soundness.
Packages in detail
^^^^^^^^^^^^^^^^^^
@@ -42,6 +43,8 @@ Packages in detail
The rest of this section will cover a rough overview of which packages are provided and what they are used for.
.. _js-library_nextcloud-auth:
``@nextcloud/auth``
^^^^^^^^^^^^^^^^^^^