StrictEvalContentSecurityPolicy
extends ContentSecurityPolicy
in package
Class StrictEvalContentSecurityPolicy is a simple helper which allows applications to modify the Content-Security-Policy sent by Nextcloud. Per default only JavaScript, stylesheets, images, fonts, media and connections from the same domain ('self') are allowed.
Even if a value gets modified above defaults will still get appended. Please note that Nextcloud ships already with sensible defaults and those policies should require no modification at all for most use-cases.
This is a temp helper class from the default ContentSecurityPolicy to allow slow migration to a stricter CSP. This does not allow unsafe eval.
Tags
Table of Contents
Properties
- $allowedChildSrcDomains : array<string|int, mixed>
- $allowedConnectDomains : array<string|int, mixed>
- $allowedFontDomains : array<string|int, mixed>
- $allowedFormActionDomains : array<string|int, mixed>
- $allowedFrameAncestors : array<string|int, mixed>
- $allowedFrameDomains : array<string|int, mixed>
- $allowedImageDomains : array<string|int, mixed>
- $allowedMediaDomains : array<string|int, mixed>
- $allowedObjectDomains : array<string|int, mixed>
- $allowedScriptDomains : array<string|int, mixed>
- $allowedStyleDomains : array<string|int, mixed>
- $allowedWorkerSrcDomains : array<string|int, mixed>
- $evalScriptAllowed : bool
- $evalWasmAllowed : bool
- $inlineScriptAllowed : bool
- $inlineStyleAllowed : bool
- $jsNonce : string|null
- $reportTo : array<string|int, mixed>
- $strictDynamicAllowed : bool
- $strictDynamicAllowedOnScripts : bool
Methods
- __construct() : mixed
- addAllowedChildSrcDomain() : $this
- Domains from which web-workers and nested browsing content can load elements
- addAllowedConnectDomain() : $this
- To which remote domains the JS connect to.
- addAllowedFontDomain() : $this
- Allows using fonts from a specific domain. Use * to allow fonts from all domains.
- addAllowedFormActionDomain() : $this
- Domain to where forms can submit
- addAllowedFrameAncestorDomain() : $this
- Domains which can embed an iFrame of the Nextcloud instance
- addAllowedFrameDomain() : $this
- Which domains can be embedded in an iframe
- addAllowedImageDomain() : $this
- Allows embedding images from a specific domain. Use * to allow images from all domains.
- addAllowedMediaDomain() : $this
- From which domains media elements can be embedded.
- addAllowedObjectDomain() : $this
- From which domains objects such as <object>, <embed> or <applet> are executed
- addAllowedScriptDomain() : $this
- Allows to execute JavaScript files from a specific domain. Use * to allow JavaScript from all domains.
- addAllowedStyleDomain() : $this
- Allows to execute CSS files from a specific domain. Use * to allow CSS from all domains.
- addAllowedWorkerSrcDomain() : $this
- Domain from which workers can be loaded
- addReportTo() : $this
- Add location to report CSP violations to
- allowEvalScript() : $this
- Whether eval in JavaScript is allowed or forbidden
- allowEvalWasm() : $this
- Whether WebAssembly compilation is allowed or forbidden
- allowInlineStyle() : $this
- Whether inline CSS snippets are allowed or forbidden
- buildPolicy() : string
- Get the generated Content-Security-Policy as a string
- disallowChildSrcDomain() : $this
- Remove the specified allowed child src domain from the allowed domains.
- disallowConnectDomain() : $this
- Remove the specified allowed connect domain from the allowed domains.
- disallowFontDomain() : $this
- Remove the specified allowed font domain from the allowed domains.
- disallowFormActionDomain() : $this
- Remove domain to where forms can submit
- disallowFrameAncestorDomain() : $this
- Domains which can embed an iFrame of the Nextcloud instance
- disallowFrameDomain() : $this
- Remove the specified allowed frame domain from the allowed domains.
- disallowImageDomain() : $this
- Remove the specified allowed image domain from the allowed domains.
- disallowMediaDomain() : $this
- Remove the specified allowed media domain from the allowed domains.
- disallowObjectDomain() : $this
- Remove the specified allowed object domain from the allowed domains.
- disallowScriptDomain() : $this
- Remove the specified allowed script domain from the allowed domains.
- disallowStyleDomain() : $this
- Remove the specified allowed style domain from the allowed domains.
- disallowWorkerSrcDomain() : $this
- Remove domain from which workers can be loaded
- useJsNonce() : $this
- Use the according JS nonce This method is only for CSPMiddleware, custom values are ignored in mergePolicies of ContentSecurityPolicyManager
- useStrictDynamic() : EmptyContentSecurityPolicy
- useStrictDynamicOnScripts() : EmptyContentSecurityPolicy
- In contrast to `useStrictDynamic` this only sets strict-dynamic on script-src-elem Meaning only grants trust to all imports of scripts that were loaded in `<script>` tags, and thus weakens less the CSP.
Properties
$allowedChildSrcDomains
protected
array<string|int, mixed>
$allowedChildSrcDomains
= null
Domains from which web-workers and nested browsing content can load elements
$allowedConnectDomains
protected
array<string|int, mixed>
$allowedConnectDomains
= null
Domains to which connections can be done
$allowedFontDomains
protected
array<string|int, mixed>
$allowedFontDomains
= null
Domains from which fonts can be loaded
$allowedFormActionDomains
protected
array<string|int, mixed>
$allowedFormActionDomains
= null
Domains which can be used as target for forms
$allowedFrameAncestors
protected
array<string|int, mixed>
$allowedFrameAncestors
= null
Domains which can embed this Nextcloud instance
$allowedFrameDomains
protected
array<string|int, mixed>
$allowedFrameDomains
= null
Domains from which iframes can be loaded
$allowedImageDomains
protected
array<string|int, mixed>
$allowedImageDomains
= null
Domains from which images can get loaded
$allowedMediaDomains
protected
array<string|int, mixed>
$allowedMediaDomains
= null
Domains from which media elements can be loaded
$allowedObjectDomains
protected
array<string|int, mixed>
$allowedObjectDomains
= null
Domains from which object elements can be loaded
$allowedScriptDomains
protected
array<string|int, mixed>
$allowedScriptDomains
= null
Domains from which scripts can get loaded
$allowedStyleDomains
protected
array<string|int, mixed>
$allowedStyleDomains
= null
Domains from which CSS can get loaded
$allowedWorkerSrcDomains
protected
array<string|int, mixed>
$allowedWorkerSrcDomains
= null
Domains from which web-workers can be loaded
$evalScriptAllowed
protected
bool
$evalScriptAllowed
= null
Whether eval in JS scripts is allowed TODO: Disallow per default
Tags
$evalWasmAllowed
protected
bool
$evalWasmAllowed
= null
Whether WebAssembly compilation is allowed
$inlineScriptAllowed
protected
bool
$inlineScriptAllowed
= false
Whether inline JS snippets are allowed
$inlineStyleAllowed
protected
bool
$inlineStyleAllowed
= null
Whether inline CSS is allowed TODO: Disallow per default
Tags
$jsNonce
protected
string|null
$jsNonce
= null
JS nonce to be used
$reportTo
protected
array<string|int, mixed>
$reportTo
= null
Locations to report violations to
$strictDynamicAllowed
protected
bool
$strictDynamicAllowed
= null
Whether strict-dynamic should be used
$strictDynamicAllowedOnScripts
protected
bool
$strictDynamicAllowedOnScripts
= null
Whether strict-dynamic should be used on script-src-elem
Methods
__construct()
public
__construct() : mixed
Tags
addAllowedChildSrcDomain()
Domains from which web-workers and nested browsing content can load elements
public
addAllowedChildSrcDomain(string $domain) : $this
Parameters
- $domain : string
-
Domain to whitelist. Any passed value needs to be properly sanitized.
Tags
Return values
$thisaddAllowedConnectDomain()
To which remote domains the JS connect to.
public
addAllowedConnectDomain(string $domain) : $this
Parameters
- $domain : string
-
Domain to whitelist. Any passed value needs to be properly sanitized.
Tags
Return values
$thisaddAllowedFontDomain()
Allows using fonts from a specific domain. Use * to allow fonts from all domains.
public
addAllowedFontDomain(string $domain) : $this
Parameters
- $domain : string
-
Domain to whitelist. Any passed value needs to be properly sanitized.
Tags
Return values
$thisaddAllowedFormActionDomain()
Domain to where forms can submit
public
addAllowedFormActionDomain(string $domain) : $this
Parameters
- $domain : string
Tags
Return values
$thisaddAllowedFrameAncestorDomain()
Domains which can embed an iFrame of the Nextcloud instance
public
addAllowedFrameAncestorDomain(string $domain) : $this
Parameters
- $domain : string
Tags
Return values
$thisaddAllowedFrameDomain()
Which domains can be embedded in an iframe
public
addAllowedFrameDomain(string $domain) : $this
Parameters
- $domain : string
-
Domain to whitelist. Any passed value needs to be properly sanitized.
Tags
Return values
$thisaddAllowedImageDomain()
Allows embedding images from a specific domain. Use * to allow images from all domains.
public
addAllowedImageDomain(string $domain) : $this
Parameters
- $domain : string
-
Domain to whitelist. Any passed value needs to be properly sanitized.
Tags
Return values
$thisaddAllowedMediaDomain()
From which domains media elements can be embedded.
public
addAllowedMediaDomain(string $domain) : $this
Parameters
- $domain : string
-
Domain to whitelist. Any passed value needs to be properly sanitized.
Tags
Return values
$thisaddAllowedObjectDomain()
From which domains objects such as <object>, <embed> or <applet> are executed
public
addAllowedObjectDomain(string $domain) : $this
Parameters
- $domain : string
-
Domain to whitelist. Any passed value needs to be properly sanitized.
Tags
Return values
$thisaddAllowedScriptDomain()
Allows to execute JavaScript files from a specific domain. Use * to allow JavaScript from all domains.
public
addAllowedScriptDomain(string $domain) : $this
Parameters
- $domain : string
-
Domain to whitelist. Any passed value needs to be properly sanitized.
Tags
Return values
$thisaddAllowedStyleDomain()
Allows to execute CSS files from a specific domain. Use * to allow CSS from all domains.
public
addAllowedStyleDomain(string $domain) : $this
Parameters
- $domain : string
-
Domain to whitelist. Any passed value needs to be properly sanitized.
Tags
Return values
$thisaddAllowedWorkerSrcDomain()
Domain from which workers can be loaded
public
addAllowedWorkerSrcDomain(string $domain) : $this
Parameters
- $domain : string
Tags
Return values
$thisaddReportTo()
Add location to report CSP violations to
public
addReportTo(string $location) : $this
Parameters
- $location : string
Tags
Return values
$thisallowEvalScript()
Whether eval in JavaScript is allowed or forbidden
public
allowEvalScript([bool $state = true ]) : $this
Parameters
- $state : bool = true
Tags
Return values
$thisallowEvalWasm()
Whether WebAssembly compilation is allowed or forbidden
public
allowEvalWasm([bool $state = true ]) : $this
Parameters
- $state : bool = true
Tags
Return values
$thisallowInlineStyle()
Whether inline CSS snippets are allowed or forbidden
public
allowInlineStyle([bool $state = true ]) : $this
Parameters
- $state : bool = true
Tags
Return values
$thisbuildPolicy()
Get the generated Content-Security-Policy as a string
public
buildPolicy() : string
Tags
Return values
stringdisallowChildSrcDomain()
Remove the specified allowed child src domain from the allowed domains.
public
disallowChildSrcDomain(string $domain) : $this
Parameters
- $domain : string
Tags
Return values
$thisdisallowConnectDomain()
Remove the specified allowed connect domain from the allowed domains.
public
disallowConnectDomain(string $domain) : $this
Parameters
- $domain : string
Tags
Return values
$thisdisallowFontDomain()
Remove the specified allowed font domain from the allowed domains.
public
disallowFontDomain(string $domain) : $this
Parameters
- $domain : string
Tags
Return values
$thisdisallowFormActionDomain()
Remove domain to where forms can submit
public
disallowFormActionDomain(string $domain) : $this
Parameters
- $domain : string
Tags
Return values
$thisdisallowFrameAncestorDomain()
Domains which can embed an iFrame of the Nextcloud instance
public
disallowFrameAncestorDomain(string $domain) : $this
Parameters
- $domain : string
Tags
Return values
$thisdisallowFrameDomain()
Remove the specified allowed frame domain from the allowed domains.
public
disallowFrameDomain(string $domain) : $this
Parameters
- $domain : string
Tags
Return values
$thisdisallowImageDomain()
Remove the specified allowed image domain from the allowed domains.
public
disallowImageDomain(string $domain) : $this
Parameters
- $domain : string
Tags
Return values
$thisdisallowMediaDomain()
Remove the specified allowed media domain from the allowed domains.
public
disallowMediaDomain(string $domain) : $this
Parameters
- $domain : string
Tags
Return values
$thisdisallowObjectDomain()
Remove the specified allowed object domain from the allowed domains.
public
disallowObjectDomain(string $domain) : $this
Parameters
- $domain : string
Tags
Return values
$thisdisallowScriptDomain()
Remove the specified allowed script domain from the allowed domains.
public
disallowScriptDomain(string $domain) : $this
Parameters
- $domain : string
Tags
Return values
$thisdisallowStyleDomain()
Remove the specified allowed style domain from the allowed domains.
public
disallowStyleDomain(string $domain) : $this
Parameters
- $domain : string
Tags
Return values
$thisdisallowWorkerSrcDomain()
Remove domain from which workers can be loaded
public
disallowWorkerSrcDomain(string $domain) : $this
Parameters
- $domain : string
Tags
Return values
$thisuseJsNonce()
Use the according JS nonce This method is only for CSPMiddleware, custom values are ignored in mergePolicies of ContentSecurityPolicyManager
public
useJsNonce(string $nonce) : $this
Parameters
- $nonce : string
Tags
Return values
$thisuseStrictDynamic()
public
useStrictDynamic([bool $state = false ]) : EmptyContentSecurityPolicy
Parameters
- $state : bool = false
Tags
Return values
EmptyContentSecurityPolicyuseStrictDynamicOnScripts()
In contrast to `useStrictDynamic` this only sets strict-dynamic on script-src-elem Meaning only grants trust to all imports of scripts that were loaded in `<script>` tags, and thus weakens less the CSP.
public
useStrictDynamicOnScripts([bool $state = false ]) : EmptyContentSecurityPolicy
Parameters
- $state : bool = false