Nextcloud PHP API (master)

StrictEvalContentSecurityPolicy extends ContentSecurityPolicy
in package

Class StrictEvalContentSecurityPolicy is a simple helper which allows applications to modify the Content-Security-Policy sent by Nextcloud. Per default only JavaScript, stylesheets, images, fonts, media and connections from the same domain ('self') are allowed.

Even if a value gets modified above defaults will still get appended. Please note that Nextcloud ships already with sensible defaults and those policies should require no modification at all for most use-cases.

This is a temp helper class from the default ContentSecurityPolicy to allow slow migration to a stricter CSP. This does not allow unsafe eval.

Tags
since
14.0.0

Table of Contents

Properties

$allowedChildSrcDomains  : array<string|int, mixed>
$allowedConnectDomains  : array<string|int, mixed>
$allowedFontDomains  : array<string|int, mixed>
$allowedFormActionDomains  : array<string|int, mixed>
$allowedFrameAncestors  : array<string|int, mixed>
$allowedFrameDomains  : array<string|int, mixed>
$allowedImageDomains  : array<string|int, mixed>
$allowedMediaDomains  : array<string|int, mixed>
$allowedObjectDomains  : array<string|int, mixed>
$allowedScriptDomains  : array<string|int, mixed>
$allowedStyleDomains  : array<string|int, mixed>
$allowedWorkerSrcDomains  : array<string|int, mixed>
$evalScriptAllowed  : bool
$evalWasmAllowed  : bool
$inlineScriptAllowed  : bool
$inlineStyleAllowed  : bool
$jsNonce  : string|null
$reportTo  : array<string|int, mixed>
$strictDynamicAllowed  : bool
$strictDynamicAllowedOnScripts  : bool

Methods

__construct()  : mixed
addAllowedChildSrcDomain()  : $this
Domains from which web-workers and nested browsing content can load elements
addAllowedConnectDomain()  : $this
To which remote domains the JS connect to.
addAllowedFontDomain()  : $this
Allows using fonts from a specific domain. Use * to allow fonts from all domains.
addAllowedFormActionDomain()  : $this
Domain to where forms can submit
addAllowedFrameAncestorDomain()  : $this
Domains which can embed an iFrame of the Nextcloud instance
addAllowedFrameDomain()  : $this
Which domains can be embedded in an iframe
addAllowedImageDomain()  : $this
Allows embedding images from a specific domain. Use * to allow images from all domains.
addAllowedMediaDomain()  : $this
From which domains media elements can be embedded.
addAllowedObjectDomain()  : $this
From which domains objects such as <object>, <embed> or <applet> are executed
addAllowedScriptDomain()  : $this
Allows to execute JavaScript files from a specific domain. Use * to allow JavaScript from all domains.
addAllowedStyleDomain()  : $this
Allows to execute CSS files from a specific domain. Use * to allow CSS from all domains.
addAllowedWorkerSrcDomain()  : $this
Domain from which workers can be loaded
addReportTo()  : $this
Add location to report CSP violations to
allowEvalScript()  : $this
Whether eval in JavaScript is allowed or forbidden
allowEvalWasm()  : $this
Whether WebAssembly compilation is allowed or forbidden
allowInlineStyle()  : $this
Whether inline CSS snippets are allowed or forbidden
buildPolicy()  : string
Get the generated Content-Security-Policy as a string
disallowChildSrcDomain()  : $this
Remove the specified allowed child src domain from the allowed domains.
disallowConnectDomain()  : $this
Remove the specified allowed connect domain from the allowed domains.
disallowFontDomain()  : $this
Remove the specified allowed font domain from the allowed domains.
disallowFormActionDomain()  : $this
Remove domain to where forms can submit
disallowFrameAncestorDomain()  : $this
Domains which can embed an iFrame of the Nextcloud instance
disallowFrameDomain()  : $this
Remove the specified allowed frame domain from the allowed domains.
disallowImageDomain()  : $this
Remove the specified allowed image domain from the allowed domains.
disallowMediaDomain()  : $this
Remove the specified allowed media domain from the allowed domains.
disallowObjectDomain()  : $this
Remove the specified allowed object domain from the allowed domains.
disallowScriptDomain()  : $this
Remove the specified allowed script domain from the allowed domains.
disallowStyleDomain()  : $this
Remove the specified allowed style domain from the allowed domains.
disallowWorkerSrcDomain()  : $this
Remove domain from which workers can be loaded
useJsNonce()  : $this
The base64 encoded nonce to be used for script source.
useStrictDynamic()  : EmptyContentSecurityPolicy
useStrictDynamicOnScripts()  : EmptyContentSecurityPolicy
In contrast to `useStrictDynamic` this only sets strict-dynamic on script-src-elem Meaning only grants trust to all imports of scripts that were loaded in `<script>` tags, and thus weakens less the CSP.

Properties

$allowedChildSrcDomains

protected array<string|int, mixed> $allowedChildSrcDomains = []

Domains from which web-workers and nested browsing content can load elements

$allowedConnectDomains

protected array<string|int, mixed> $allowedConnectDomains = ['\'self\'']

Domains to which connections can be done

$allowedFontDomains

protected array<string|int, mixed> $allowedFontDomains = ['\'self\'', 'data:']

Domains from which fonts can be loaded

$allowedFormActionDomains

protected array<string|int, mixed> $allowedFormActionDomains = ['\'self\'']

Domains which can be used as target for forms

$allowedFrameAncestors

protected array<string|int, mixed> $allowedFrameAncestors = ['\'self\'']

Domains which can embed this Nextcloud instance

$allowedFrameDomains

protected array<string|int, mixed> $allowedFrameDomains = []

Domains from which iframes can be loaded

$allowedImageDomains

protected array<string|int, mixed> $allowedImageDomains = ['\'self\'', 'data:', 'blob:']

Domains from which images can get loaded

$allowedMediaDomains

protected array<string|int, mixed> $allowedMediaDomains = ['\'self\'']

Domains from which media elements can be loaded

$allowedObjectDomains

protected array<string|int, mixed> $allowedObjectDomains = []

Domains from which object elements can be loaded

$allowedScriptDomains

protected array<string|int, mixed> $allowedScriptDomains = ['\'self\'']

Domains from which scripts can get loaded

$allowedStyleDomains

protected array<string|int, mixed> $allowedStyleDomains = ['\'self\'']

Domains from which CSS can get loaded

$allowedWorkerSrcDomains

protected array<string|int, mixed> $allowedWorkerSrcDomains = []

Domains from which web-workers can be loaded

$evalScriptAllowed

protected bool $evalScriptAllowed = false

Whether eval in JS scripts is allowed

$evalWasmAllowed

protected bool $evalWasmAllowed = false

Whether WebAssembly compilation is allowed

$inlineScriptAllowed

protected bool $inlineScriptAllowed = false

Whether inline JS snippets are allowed

$reportTo

protected array<string|int, mixed> $reportTo = []

Locations to report violations to

$strictDynamicAllowed

protected bool $strictDynamicAllowed = false

Whether strict-dynamic should be set

$strictDynamicAllowedOnScripts

protected bool $strictDynamicAllowedOnScripts = true

Whether strict-dynamic should be set for 'script-src-elem'

Methods

addAllowedChildSrcDomain()

Domains from which web-workers and nested browsing content can load elements

public addAllowedChildSrcDomain(string $domain) : $this

use addAllowedWorkerSrcDomains or addAllowedFrameDomain

Parameters
$domain : string

Domain to whitelist. Any passed value needs to be properly sanitized.

Tags
since
8.1.0
Return values
$this

addAllowedConnectDomain()

To which remote domains the JS connect to.

public addAllowedConnectDomain(string $domain) : $this
Parameters
$domain : string

Domain to whitelist. Any passed value needs to be properly sanitized.

Tags
since
8.1.0
Return values
$this

addAllowedFontDomain()

Allows using fonts from a specific domain. Use * to allow fonts from all domains.

public addAllowedFontDomain(string $domain) : $this
Parameters
$domain : string

Domain to whitelist. Any passed value needs to be properly sanitized.

Tags
since
8.1.0
Return values
$this

addAllowedFormActionDomain()

Domain to where forms can submit

public addAllowedFormActionDomain(string $domain) : $this
Parameters
$domain : string
Tags
since
17.0.0
Return values
$this

addAllowedFrameAncestorDomain()

Domains which can embed an iFrame of the Nextcloud instance

public addAllowedFrameAncestorDomain(string $domain) : $this
Parameters
$domain : string
Tags
since
13.0.0
Return values
$this

addAllowedFrameDomain()

Which domains can be embedded in an iframe

public addAllowedFrameDomain(string $domain) : $this
Parameters
$domain : string

Domain to whitelist. Any passed value needs to be properly sanitized.

Tags
since
8.1.0
Return values
$this

addAllowedImageDomain()

Allows embedding images from a specific domain. Use * to allow images from all domains.

public addAllowedImageDomain(string $domain) : $this
Parameters
$domain : string

Domain to whitelist. Any passed value needs to be properly sanitized.

Tags
since
8.1.0
Return values
$this

addAllowedMediaDomain()

From which domains media elements can be embedded.

public addAllowedMediaDomain(string $domain) : $this
Parameters
$domain : string

Domain to whitelist. Any passed value needs to be properly sanitized.

Tags
since
8.1.0
Return values
$this

addAllowedObjectDomain()

From which domains objects such as <object>, <embed> or <applet> are executed

public addAllowedObjectDomain(string $domain) : $this
Parameters
$domain : string

Domain to whitelist. Any passed value needs to be properly sanitized.

Tags
since
8.1.0
Return values
$this

addAllowedScriptDomain()

Allows to execute JavaScript files from a specific domain. Use * to allow JavaScript from all domains.

public addAllowedScriptDomain(string $domain) : $this
Parameters
$domain : string

Domain to whitelist. Any passed value needs to be properly sanitized.

Tags
since
8.1.0
Return values
$this

addAllowedStyleDomain()

Allows to execute CSS files from a specific domain. Use * to allow CSS from all domains.

public addAllowedStyleDomain(string $domain) : $this
Parameters
$domain : string

Domain to whitelist. Any passed value needs to be properly sanitized.

Tags
since
8.1.0
Return values
$this

addAllowedWorkerSrcDomain()

Domain from which workers can be loaded

public addAllowedWorkerSrcDomain(string $domain) : $this
Parameters
$domain : string
Tags
since
15.0.0
Return values
$this

addReportTo()

Add location to report CSP violations to

public addReportTo(string $location) : $this
Parameters
$location : string
Tags
since
15.0.0
Return values
$this

allowEvalScript()

Whether eval in JavaScript is allowed or forbidden

public allowEvalScript([bool $state = true ]) : $this

Eval should not be used anymore. Please update your scripts. This function will stop functioning in a future version of Nextcloud.

Parameters
$state : bool = true
Tags
since
8.1.0
Return values
$this

allowEvalWasm()

Whether WebAssembly compilation is allowed or forbidden

public allowEvalWasm([bool $state = true ]) : $this
Parameters
$state : bool = true
Tags
since
28.0.0
Return values
$this

allowInlineStyle()

Whether inline CSS snippets are allowed or forbidden

public allowInlineStyle([bool $state = true ]) : $this
Parameters
$state : bool = true
Tags
since
8.1.0
Return values
$this

buildPolicy()

Get the generated Content-Security-Policy as a string

public buildPolicy() : string
Tags
since
8.1.0
Return values
string

disallowChildSrcDomain()

Remove the specified allowed child src domain from the allowed domains.

public disallowChildSrcDomain(string $domain) : $this

use the WorkerSrcDomains or FrameDomain

Parameters
$domain : string
Tags
since
8.1.0
Return values
$this

disallowConnectDomain()

Remove the specified allowed connect domain from the allowed domains.

public disallowConnectDomain(string $domain) : $this
Parameters
$domain : string
Tags
since
8.1.0
Return values
$this

disallowFontDomain()

Remove the specified allowed font domain from the allowed domains.

public disallowFontDomain(string $domain) : $this
Parameters
$domain : string
Tags
since
8.1.0
Return values
$this

disallowFormActionDomain()

Remove domain to where forms can submit

public disallowFormActionDomain(string $domain) : $this
Parameters
$domain : string
Tags
since
17.0.0
Return values
$this

disallowFrameAncestorDomain()

Domains which can embed an iFrame of the Nextcloud instance

public disallowFrameAncestorDomain(string $domain) : $this
Parameters
$domain : string
Tags
since
13.0.0
Return values
$this

disallowFrameDomain()

Remove the specified allowed frame domain from the allowed domains.

public disallowFrameDomain(string $domain) : $this
Parameters
$domain : string
Tags
since
8.1.0
Return values
$this

disallowImageDomain()

Remove the specified allowed image domain from the allowed domains.

public disallowImageDomain(string $domain) : $this
Parameters
$domain : string
Tags
since
8.1.0
Return values
$this

disallowMediaDomain()

Remove the specified allowed media domain from the allowed domains.

public disallowMediaDomain(string $domain) : $this
Parameters
$domain : string
Tags
since
8.1.0
Return values
$this

disallowObjectDomain()

Remove the specified allowed object domain from the allowed domains.

public disallowObjectDomain(string $domain) : $this
Parameters
$domain : string
Tags
since
8.1.0
Return values
$this

disallowScriptDomain()

Remove the specified allowed script domain from the allowed domains.

public disallowScriptDomain(string $domain) : $this
Parameters
$domain : string
Tags
since
8.1.0
Return values
$this

disallowStyleDomain()

Remove the specified allowed style domain from the allowed domains.

public disallowStyleDomain(string $domain) : $this
Parameters
$domain : string
Tags
since
8.1.0
Return values
$this

disallowWorkerSrcDomain()

Remove domain from which workers can be loaded

public disallowWorkerSrcDomain(string $domain) : $this
Parameters
$domain : string
Tags
since
15.0.0
Return values
$this

useJsNonce()

The base64 encoded nonce to be used for script source.

public useJsNonce(string $nonce) : $this

This method is only for CSPMiddleware, custom values are ignored in mergePolicies of ContentSecurityPolicyManager

Parameters
$nonce : string
Tags
since
11.0.0
Return values
$this

useStrictDynamicOnScripts()

In contrast to `useStrictDynamic` this only sets strict-dynamic on script-src-elem Meaning only grants trust to all imports of scripts that were loaded in `<script>` tags, and thus weakens less the CSP.

public useStrictDynamicOnScripts([bool $state = false ]) : EmptyContentSecurityPolicy
Parameters
$state : bool = false
Tags
since
28.0.0
Return values
EmptyContentSecurityPolicy 

        

        
    




    

    

                                

                

                                
    

        On this page

        
    


                

                            

            

    

        

            
Search results