khanh.pndc/nextcloud-docs
1
0
Fork 0
mirror of https://github.com/nextcloud/documentation.git synced 2026-01-02 17:59:36 +07:00
Code Issues Packages Projects Releases Wiki Activity

fix(dev): Add useStrictDynamicOnScripts to OCP\AppFramework\Http\EmptyContentSecurityPolicy

Browse Source 
Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
This commit is contained in:
Ferdinand Thiessen
2023-11-17 14:48:12 +01:00
parent 91bde0d836
commit a32ee9d18b
2 changed files with 12 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
developer_manual/app_publishing_maintenance/app_upgrade_guide/upgrade_to_28.rst
View File

@@ -131,6 +131,7 @@ The details of this change can also be seen in the todo items that are linked fr
Added APIs
^^^^^^^^^^
* ``\OCP\AppFramework\Http\EmptyContentSecurityPolicy::useStrictDynamicOnScripts`` to set 'strict-dynamic' on the 'script-src-elem' CSP, this is set by default to true to allow apps using module JS to import dependencies.
* ``\OCP\Mail\IMessage::setSubject`` to set an email subject. See :ref:`email` for an example.
* ``\OCP\Mail\IMessage::setHtmlBody`` and ``\OCP\Mail\IMessage::setPlainBody`` to set an email body See :ref:`email` for an example.
* ``\OCP\IEventSourceFactory`` to create a ``OCP\IEventSource`` instance.

12
developer_manual/basics/controllers.rst
View File

@@ -669,7 +669,8 @@ If you want to use a custom, lazily rendered response simply implement the inter
Modifying the content security policy
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
By default Nextcloud disables all resources which are not served on the same domain, forbids cross domain requests and disables inline CSS and JavaScript by setting a `Content Security Policy <https://developer.mozilla.org/en-US/docs/Web/Security/CSP/Introducing_Content_Security_Policy>`_. However if an app relies on third-party media or other features which are forbidden by the current policy the policy can be relaxed.
By default Nextcloud disables all resources which are not served on the same domain, forbids cross domain requests and disables inline CSS and JavaScript by setting a `Content Security Policy <https://developer.mozilla.org/en-US/docs/Web/Security/CSP/Introducing_Content_Security_Policy>`_.
However if an app relies on third-party media or other features which are forbidden by the current policy the policy can be relaxed.
.. note:: Double check your content and edge cases before you relax the policy! Also read the `documentation provided by MDN <https://developer.mozilla.org/en-US/docs/Web/Security/CSP/Introducing_Content_Security_Policy>`_
@@ -680,6 +681,15 @@ The following methods turn off security features by passing in **true** as the *
* **allowInlineScript** (bool $isAllowed)
* **allowInlineStyle** (bool $isAllowed)
* **allowEvalScript** (bool $isAllowed)
* **useStrictDynamic** (bool $isAllowed)
Trust all scripts that are loaded by a trusted script, see 'script-src' and 'strict-dynamic'
* **useStrictDynamicOnScripts** (bool $isAllowed)
Trust all scripts that are loaded by a trusted script which was loaded using a ``<script>`` tag, see 'script-src-elem' **(enabled by default)**
.. note:: ``useStrictDynamicOnScripts`` is enabled by default to allow module javascript to load its dependencies using ``import`` since Nextcloud 28. You can disable this by passing **false** as the parameter.
The following methods whitelist domains by passing in a domain or \* for any domain: