ContentSecurityPolicy extends EmptyContentSecurityPolicy
Class ContentSecurityPolicy is a simple helper which allows applications to modify the Content-Security-Policy sent by Nextcloud. Per default only JavaScript, stylesheets, images, fonts, media and connections from the same domain ('self') are allowed.
Even if a value gets modified above defaults will still get appended. Please notice that Nextcloud ships already with sensible defaults and those policies should require no modification at all for most use-cases.
This class allows unsafe-eval of javascript and unsafe-inline of CSS.
Tags
Table of Contents
- $allowedChildSrcDomains : array
- $allowedConnectDomains : array
- $allowedFontDomains : array
- $allowedFormActionDomains : array
- $allowedFrameAncestors : array
- $allowedFrameDomains : array
- $allowedImageDomains : array
- $allowedMediaDomains : array
- $allowedObjectDomains : array
- $allowedScriptDomains : array
- $allowedStyleDomains : array
- $allowedWorkerSrcDomains : array
- $evalScriptAllowed : bool
- $inlineScriptAllowed : bool
- $inlineStyleAllowed : bool
- $reportTo : array
- $useJsNonce : string
- addAllowedChildSrcDomain() : $this
- Domains from which web-workers and nested browsing content can load elements
- addAllowedConnectDomain() : $this
- To which remote domains the JS connect to.
- addAllowedFontDomain() : $this
- Allows using fonts from a specific domain. Use * to allow fonts from all domains.
- addAllowedFormActionDomain() : $this
- Domain to where forms can submit
- addAllowedFrameAncestorDomain() : $this
- Domains which can embed an iFrame of the Nextcloud instance
- addAllowedFrameDomain() : $this
- Which domains can be embedded in an iframe
- addAllowedImageDomain() : $this
- Allows embedding images from a specific domain. Use * to allow images from all domains.
- addAllowedMediaDomain() : $this
- From which domains media elements can be embedded.
- addAllowedObjectDomain() : $this
- From which domains objects such as <object>, <embed> or <applet> are executed
- addAllowedScriptDomain() : $this
- Allows to execute JavaScript files from a specific domain. Use * to allow JavaScript from all domains.
- addAllowedStyleDomain() : $this
- Allows to execute CSS files from a specific domain. Use * to allow CSS from all domains.
- addAllowedWorkerSrcDomain() : $this
- Domain from which workers can be loaded
- addReportTo() : $this
- Add location to report CSP violations to
- allowEvalScript() : $this
- Whether eval in JavaScript is allowed or forbidden
- allowInlineScript() : $this
- Whether inline JavaScript snippets are allowed or forbidden
- allowInlineStyle() : $this
- Whether inline CSS snippets are allowed or forbidden
- buildPolicy() : string
- Get the generated Content-Security-Policy as a string
- disallowChildSrcDomain() : $this
- Remove the specified allowed child src domain from the allowed domains.
- disallowConnectDomain() : $this
- Remove the specified allowed connect domain from the allowed domains.
- disallowFontDomain() : $this
- Remove the specified allowed font domain from the allowed domains.
- disallowFormActionDomain() : $this
- Remove domain to where forms can submit
- disallowFrameAncestorDomain() : $this
- Domains which can embed an iFrame of the Nextcloud instance
- disallowFrameDomain() : $this
- Remove the specified allowed frame domain from the allowed domains.
- disallowImageDomain() : $this
- Remove the specified allowed image domain from the allowed domains.
- disallowMediaDomain() : $this
- Remove the specified allowed media domain from the allowed domains.
- disallowObjectDomain() : $this
- Remove the specified allowed object domain from the allowed domains.
- disallowScriptDomain() : $this
- Remove the specified allowed script domain from the allowed domains.
- disallowStyleDomain() : $this
- Remove the specified allowed style domain from the allowed domains.
- disallowWorkerSrcDomain() : $this
- Remove domain from which workers can be loaded
- useJsNonce() : $this
- Use the according JS nonce This method is only for CSPMiddleware, custom values are ignored in mergePolicies of ContentSecurityPolicyManager
Properties
$allowedChildSrcDomains
protected
array
$allowedChildSrcDomains
= []
$allowedConnectDomains
protected
array
$allowedConnectDomains
= [''self'']
$allowedFontDomains
protected
array
$allowedFontDomains
= [''self'', 'data:']
$allowedFormActionDomains
protected
array
$allowedFormActionDomains
= [''self'']
$allowedFrameAncestors
protected
array
$allowedFrameAncestors
= [''self'']
$allowedFrameDomains
protected
array
$allowedFrameDomains
= []
$allowedImageDomains
protected
array
$allowedImageDomains
= [''self'', 'data:', 'blob:']
$allowedMediaDomains
protected
array
$allowedMediaDomains
= [''self'']
$allowedObjectDomains
protected
array
$allowedObjectDomains
= []
$allowedScriptDomains
protected
array
$allowedScriptDomains
= [''self'']
$allowedStyleDomains
protected
array
$allowedStyleDomains
= [''self'']
$allowedWorkerSrcDomains
protected
array
$allowedWorkerSrcDomains
= []
$evalScriptAllowed
protected
bool
$evalScriptAllowed
= false
$inlineScriptAllowed
protected
bool
$inlineScriptAllowed
= false
$inlineStyleAllowed
protected
bool
$inlineStyleAllowed
= true
Tags
$reportTo
protected
array
$reportTo
= []
$useJsNonce
protected
string
$useJsNonce
= null
Methods
addAllowedChildSrcDomain()
Domains from which web-workers and nested browsing content can load elements
public
addAllowedChildSrcDomain(string $domain) : $this
Parameters
- $domain : string
-
Domain to whitelist. Any passed value needs to be properly sanitized.
Tags
Return values
$this —addAllowedConnectDomain()
To which remote domains the JS connect to.
public
addAllowedConnectDomain(string $domain) : $this
Parameters
- $domain : string
-
Domain to whitelist. Any passed value needs to be properly sanitized.
Tags
Return values
$this —addAllowedFontDomain()
Allows using fonts from a specific domain. Use * to allow fonts from all domains.
public
addAllowedFontDomain(string $domain) : $this
Parameters
- $domain : string
-
Domain to whitelist. Any passed value needs to be properly sanitized.
Tags
Return values
$this —addAllowedFormActionDomain()
Domain to where forms can submit
public
addAllowedFormActionDomain(string $domain) : $this
Parameters
- $domain : string
Tags
Return values
$this —addAllowedFrameAncestorDomain()
Domains which can embed an iFrame of the Nextcloud instance
public
addAllowedFrameAncestorDomain(string $domain) : $this
Parameters
- $domain : string
Tags
Return values
$this —addAllowedFrameDomain()
Which domains can be embedded in an iframe
public
addAllowedFrameDomain(string $domain) : $this
Parameters
- $domain : string
-
Domain to whitelist. Any passed value needs to be properly sanitized.
Tags
Return values
$this —addAllowedImageDomain()
Allows embedding images from a specific domain. Use * to allow images from all domains.
public
addAllowedImageDomain(string $domain) : $this
Parameters
- $domain : string
-
Domain to whitelist. Any passed value needs to be properly sanitized.
Tags
Return values
$this —addAllowedMediaDomain()
From which domains media elements can be embedded.
public
addAllowedMediaDomain(string $domain) : $this
Parameters
- $domain : string
-
Domain to whitelist. Any passed value needs to be properly sanitized.
Tags
Return values
$this —addAllowedObjectDomain()
From which domains objects such as <object>, <embed> or <applet> are executed
public
addAllowedObjectDomain(string $domain) : $this
Parameters
- $domain : string
-
Domain to whitelist. Any passed value needs to be properly sanitized.
Tags
Return values
$this —addAllowedScriptDomain()
Allows to execute JavaScript files from a specific domain. Use * to allow JavaScript from all domains.
public
addAllowedScriptDomain(string $domain) : $this
Parameters
- $domain : string
-
Domain to whitelist. Any passed value needs to be properly sanitized.
Tags
Return values
$this —addAllowedStyleDomain()
Allows to execute CSS files from a specific domain. Use * to allow CSS from all domains.
public
addAllowedStyleDomain(string $domain) : $this
Parameters
- $domain : string
-
Domain to whitelist. Any passed value needs to be properly sanitized.
Tags
Return values
$this —addAllowedWorkerSrcDomain()
Domain from which workers can be loaded
public
addAllowedWorkerSrcDomain(string $domain) : $this
Parameters
- $domain : string
Tags
Return values
$this —addReportTo()
Add location to report CSP violations to
public
addReportTo(string $location) : $this
Parameters
- $location : string
Tags
Return values
$this —allowEvalScript()
Whether eval in JavaScript is allowed or forbidden
public
allowEvalScript([bool $state = true ]) : $this
Parameters
- $state : bool = true
Tags
Return values
$this —allowInlineScript()
Whether inline JavaScript snippets are allowed or forbidden
public
allowInlineScript([bool $state = false ]) : $this
Parameters
- $state : bool = false
Tags
Return values
$this —allowInlineStyle()
Whether inline CSS snippets are allowed or forbidden
public
allowInlineStyle([bool $state = true ]) : $this
Parameters
- $state : bool = true
Tags
Return values
$this —buildPolicy()
Get the generated Content-Security-Policy as a string
public
buildPolicy() : string
Tags
Return values
string —disallowChildSrcDomain()
Remove the specified allowed child src domain from the allowed domains.
public
disallowChildSrcDomain(string $domain) : $this
Parameters
- $domain : string
Tags
Return values
$this —disallowConnectDomain()
Remove the specified allowed connect domain from the allowed domains.
public
disallowConnectDomain(string $domain) : $this
Parameters
- $domain : string
Tags
Return values
$this —disallowFontDomain()
Remove the specified allowed font domain from the allowed domains.
public
disallowFontDomain(string $domain) : $this
Parameters
- $domain : string
Tags
Return values
$this —disallowFormActionDomain()
Remove domain to where forms can submit
public
disallowFormActionDomain(string $domain) : $this
Parameters
- $domain : string
Tags
Return values
$this —disallowFrameAncestorDomain()
Domains which can embed an iFrame of the Nextcloud instance
public
disallowFrameAncestorDomain(string $domain) : $this
Parameters
- $domain : string
Tags
Return values
$this —disallowFrameDomain()
Remove the specified allowed frame domain from the allowed domains.
public
disallowFrameDomain(string $domain) : $this
Parameters
- $domain : string
Tags
Return values
$this —disallowImageDomain()
Remove the specified allowed image domain from the allowed domains.
public
disallowImageDomain(string $domain) : $this
Parameters
- $domain : string
Tags
Return values
$this —disallowMediaDomain()
Remove the specified allowed media domain from the allowed domains.
public
disallowMediaDomain(string $domain) : $this
Parameters
- $domain : string
Tags
Return values
$this —disallowObjectDomain()
Remove the specified allowed object domain from the allowed domains.
public
disallowObjectDomain(string $domain) : $this
Parameters
- $domain : string
Tags
Return values
$this —disallowScriptDomain()
Remove the specified allowed script domain from the allowed domains.
public
disallowScriptDomain(string $domain) : $this
Parameters
- $domain : string
Tags
Return values
$this —disallowStyleDomain()
Remove the specified allowed style domain from the allowed domains.
public
disallowStyleDomain(string $domain) : $this
Parameters
- $domain : string
Tags
Return values
$this —disallowWorkerSrcDomain()
Remove domain from which workers can be loaded
public
disallowWorkerSrcDomain(string $domain) : $this
Parameters
- $domain : string
Tags
Return values
$this —useJsNonce()
Use the according JS nonce This method is only for CSPMiddleware, custom values are ignored in mergePolicies of ContentSecurityPolicyManager
public
useJsNonce(string $nonce) : $this
Parameters
- $nonce : string