Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(dev): Add useStrictDynamicOnScripts to OCP\AppFramework\Http\EmptyContentSecurityPolicy #11291

Merged
merged 1 commit into from Nov 20, 2023
Merged

fix(dev): Add useStrictDynamicOnScripts to OCP\AppFramework\Http\EmptyContentSecurityPolicy #11291

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
1 change: 1 addition & 0 deletions developer_manual/app_publishing_maintenance/app_upgrade_guide/upgrade_to_28.rst
View file
Open in desktop
Expand Up @@ -131,6 +131,7 @@ The details of this change can also be seen in the todo items that are linked fr
Added APIs
^^^^^^^^^^

* ``\OCP\AppFramework\Http\EmptyContentSecurityPolicy::useStrictDynamicOnScripts`` to set 'strict-dynamic' on the 'script-src-elem' CSP, this is set by default to true to allow apps using module JS to import dependencies.
* ``\OCP\Mail\IMessage::setSubject`` to set an email subject. See :ref:`email` for an example.
* ``\OCP\Mail\IMessage::setHtmlBody`` and ``\OCP\Mail\IMessage::setPlainBody`` to set an email body See :ref:`email` for an example.
* ``\OCP\IEventSourceFactory`` to create a ``OCP\IEventSource`` instance.
Expand Down
12 changes: 11 additions & 1 deletion developer_manual/basics/controllers.rst
View file
Open in desktop
Expand Up @@ -669,7 +669,8 @@ If you want to use a custom, lazily rendered response simply implement the inter
Modifying the content security policy
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

By default Nextcloud disables all resources which are not served on the same domain, forbids cross domain requests and disables inline CSS and JavaScript by setting a `Content Security Policy <https://developer.mozilla.org/en-US/docs/Web/Security/CSP/Introducing_Content_Security_Policy>`_. However if an app relies on third-party media or other features which are forbidden by the current policy the policy can be relaxed.
By default Nextcloud disables all resources which are not served on the same domain, forbids cross domain requests and disables inline CSS and JavaScript by setting a `Content Security Policy <https://developer.mozilla.org/en-US/docs/Web/Security/CSP/Introducing_Content_Security_Policy>`_.
However if an app relies on third-party media or other features which are forbidden by the current policy the policy can be relaxed.

.. note:: Double check your content and edge cases before you relax the policy! Also read the `documentation provided by MDN <https://developer.mozilla.org/en-US/docs/Web/Security/CSP/Introducing_Content_Security_Policy>`_

Expand All @@ -680,6 +681,15 @@ The following methods turn off security features by passing in **true** as the *
* **allowInlineScript** (bool $isAllowed)
* **allowInlineStyle** (bool $isAllowed)
* **allowEvalScript** (bool $isAllowed)
* **useStrictDynamic** (bool $isAllowed)

Trust all scripts that are loaded by a trusted script, see 'script-src' and 'strict-dynamic'

* **useStrictDynamicOnScripts** (bool $isAllowed)

Trust all scripts that are loaded by a trusted script which was loaded using a ``<script>`` tag, see 'script-src-elem' **(enabled by default)**

.. note:: ``useStrictDynamicOnScripts`` is enabled by default to allow module javascript to load its dependencies using ``import`` since Nextcloud 28. You can disable this by passing **false** as the parameter.

The following methods whitelist domains by passing in a domain or \* for any domain:

Expand Down