Nextcloud PHP API (stable19)

StrictInlineContentSecurityPolicy extends ContentSecurityPolicy

Class StrictInlineContentSecurityPolicy is a simple helper which allows applications to modify the Content-Security-Policy sent by Nextcloud. Per default only JavaScript, stylesheets, images, fonts, media and connections from the same domain ('self') are allowed.

Even if a value gets modified above defaults will still get appended. Please notice that Nextcloud ships already with sensible defaults and those policies should require no modification at all for most use-cases.

This is a temp helper class from the default ContentSecurityPolicy to allow slow migration to a stricter CSP. This does not allow inline styles.

Tags
since
14.0.0
deprecated
17.0.0

Table of Contents

$allowedChildSrcDomains  : array
$allowedConnectDomains  : array
$allowedFontDomains  : array
$allowedFormActionDomains  : array
$allowedFrameAncestors  : array
$allowedFrameDomains  : array
$allowedImageDomains  : array
$allowedMediaDomains  : array
$allowedObjectDomains  : array
$allowedScriptDomains  : array
$allowedStyleDomains  : array
$allowedWorkerSrcDomains  : array
$evalScriptAllowed  : bool
$inlineScriptAllowed  : bool
$inlineStyleAllowed  : bool
$reportTo  : array
$useJsNonce  : string
__construct()  : mixed
addAllowedChildSrcDomain()  : $this
Domains from which web-workers and nested browsing content can load elements
addAllowedConnectDomain()  : $this
To which remote domains the JS connect to.
addAllowedFontDomain()  : $this
Allows using fonts from a specific domain. Use * to allow fonts from all domains.
addAllowedFormActionDomain()  : $this
Domain to where forms can submit
addAllowedFrameAncestorDomain()  : $this
Domains which can embed an iFrame of the Nextcloud instance
addAllowedFrameDomain()  : $this
Which domains can be embedded in an iframe
addAllowedImageDomain()  : $this
Allows embedding images from a specific domain. Use * to allow images from all domains.
addAllowedMediaDomain()  : $this
From which domains media elements can be embedded.
addAllowedObjectDomain()  : $this
From which domains objects such as <object>, <embed> or <applet> are executed
addAllowedScriptDomain()  : $this
Allows to execute JavaScript files from a specific domain. Use * to allow JavaScript from all domains.
addAllowedStyleDomain()  : $this
Allows to execute CSS files from a specific domain. Use * to allow CSS from all domains.
addAllowedWorkerSrcDomain()  : $this
Domain from which workers can be loaded
addReportTo()  : $this
Add location to report CSP violations to
allowEvalScript()  : $this
Whether eval in JavaScript is allowed or forbidden
allowInlineScript()  : $this
Whether inline JavaScript snippets are allowed or forbidden
allowInlineStyle()  : $this
Whether inline CSS snippets are allowed or forbidden
buildPolicy()  : string
Get the generated Content-Security-Policy as a string
disallowChildSrcDomain()  : $this
Remove the specified allowed child src domain from the allowed domains.
disallowConnectDomain()  : $this
Remove the specified allowed connect domain from the allowed domains.
disallowFontDomain()  : $this
Remove the specified allowed font domain from the allowed domains.
disallowFormActionDomain()  : $this
Remove domain to where forms can submit
disallowFrameAncestorDomain()  : $this
Domains which can embed an iFrame of the Nextcloud instance
disallowFrameDomain()  : $this
Remove the specified allowed frame domain from the allowed domains.
disallowImageDomain()  : $this
Remove the specified allowed image domain from the allowed domains.
disallowMediaDomain()  : $this
Remove the specified allowed media domain from the allowed domains.
disallowObjectDomain()  : $this
Remove the specified allowed object domain from the allowed domains.
disallowScriptDomain()  : $this
Remove the specified allowed script domain from the allowed domains.
disallowStyleDomain()  : $this
Remove the specified allowed style domain from the allowed domains.
disallowWorkerSrcDomain()  : $this
Remove domain from which workers can be loaded
useJsNonce()  : $this
Use the according JS nonce This method is only for CSPMiddleware, custom values are ignored in mergePolicies of ContentSecurityPolicyManager

Properties

Methods

addAllowedChildSrcDomain()

Domains from which web-workers and nested browsing content can load elements

public addAllowedChildSrcDomain(string $domain) : $this
Parameters
$domain : string

Domain to whitelist. Any passed value needs to be properly sanitized.

Tags
since
8.1.0
deprecated
15.0.0

use addAllowedWorkerSrcDomains or addAllowedFrameDomain

Return values
$this

addAllowedConnectDomain()

To which remote domains the JS connect to.

public addAllowedConnectDomain(string $domain) : $this
Parameters
$domain : string

Domain to whitelist. Any passed value needs to be properly sanitized.

Tags
since
8.1.0
Return values
$this

addAllowedFontDomain()

Allows using fonts from a specific domain. Use * to allow fonts from all domains.

public addAllowedFontDomain(string $domain) : $this
Parameters
$domain : string

Domain to whitelist. Any passed value needs to be properly sanitized.

Tags
since
8.1.0
Return values
$this

addAllowedFormActionDomain()

Domain to where forms can submit

public addAllowedFormActionDomain(string $domain) : $this
Parameters
$domain : string
Tags
since
17.0.0
Return values
$this

addAllowedFrameAncestorDomain()

Domains which can embed an iFrame of the Nextcloud instance

public addAllowedFrameAncestorDomain(string $domain) : $this
Parameters
$domain : string
Tags
since
13.0.0
Return values
$this

addAllowedFrameDomain()

Which domains can be embedded in an iframe

public addAllowedFrameDomain(string $domain) : $this
Parameters
$domain : string

Domain to whitelist. Any passed value needs to be properly sanitized.

Tags
since
8.1.0
Return values
$this

addAllowedImageDomain()

Allows embedding images from a specific domain. Use * to allow images from all domains.

public addAllowedImageDomain(string $domain) : $this
Parameters
$domain : string

Domain to whitelist. Any passed value needs to be properly sanitized.

Tags
since
8.1.0
Return values
$this

addAllowedMediaDomain()

From which domains media elements can be embedded.

public addAllowedMediaDomain(string $domain) : $this
Parameters
$domain : string

Domain to whitelist. Any passed value needs to be properly sanitized.

Tags
since
8.1.0
Return values
$this

addAllowedObjectDomain()

From which domains objects such as <object>, <embed> or <applet> are executed

public addAllowedObjectDomain(string $domain) : $this
Parameters
$domain : string

Domain to whitelist. Any passed value needs to be properly sanitized.

Tags
since
8.1.0
Return values
$this

addAllowedScriptDomain()

Allows to execute JavaScript files from a specific domain. Use * to allow JavaScript from all domains.

public addAllowedScriptDomain(string $domain) : $this
Parameters
$domain : string

Domain to whitelist. Any passed value needs to be properly sanitized.

Tags
since
8.1.0
Return values
$this

addAllowedStyleDomain()

Allows to execute CSS files from a specific domain. Use * to allow CSS from all domains.

public addAllowedStyleDomain(string $domain) : $this
Parameters
$domain : string

Domain to whitelist. Any passed value needs to be properly sanitized.

Tags
since
8.1.0
Return values
$this

addAllowedWorkerSrcDomain()

Domain from which workers can be loaded

public addAllowedWorkerSrcDomain(string $domain) : $this
Parameters
$domain : string
Tags
since
15.0.0
Return values
$this

addReportTo()

Add location to report CSP violations to

public addReportTo(string $location) : $this
Parameters
$location : string
Tags
since
15.0.0
Return values
$this

allowEvalScript()

Whether eval in JavaScript is allowed or forbidden

public allowEvalScript([bool $state = true ]) : $this
Parameters
$state : bool = true
Tags
since
8.1.0
deprecated

Eval should not be used anymore. Please update your scripts. This function will stop functioning in a future version of Nextcloud.

Return values
$this

allowInlineScript()

Whether inline JavaScript snippets are allowed or forbidden

public allowInlineScript([bool $state = false ]) : $this
Parameters
$state : bool = false
Tags
since
8.1.0
deprecated
10.0

CSP tokens are now used

Return values
$this

allowInlineStyle()

Whether inline CSS snippets are allowed or forbidden

public allowInlineStyle([bool $state = true ]) : $this
Parameters
$state : bool = true
Tags
since
8.1.0
Return values
$this

buildPolicy()

Get the generated Content-Security-Policy as a string

public buildPolicy() : string
Tags
since
8.1.0
Return values
string

disallowChildSrcDomain()

Remove the specified allowed child src domain from the allowed domains.

public disallowChildSrcDomain(string $domain) : $this
Parameters
$domain : string
Tags
since
8.1.0
deprecated
15.0.0

use the WorkerSrcDomains or FrameDomain

Return values
$this

disallowConnectDomain()

Remove the specified allowed connect domain from the allowed domains.

public disallowConnectDomain(string $domain) : $this
Parameters
$domain : string
Tags
since
8.1.0
Return values
$this

disallowFontDomain()

Remove the specified allowed font domain from the allowed domains.

public disallowFontDomain(string $domain) : $this
Parameters
$domain : string
Tags
since
8.1.0
Return values
$this

disallowFormActionDomain()

Remove domain to where forms can submit

public disallowFormActionDomain(string $domain) : $this
Parameters
$domain : string
Tags
since
17.0.0
Return values
$this

disallowFrameAncestorDomain()

Domains which can embed an iFrame of the Nextcloud instance

public disallowFrameAncestorDomain(string $domain) : $this
Parameters
$domain : string
Tags
since
13.0.0
Return values
$this

disallowFrameDomain()

Remove the specified allowed frame domain from the allowed domains.

public disallowFrameDomain(string $domain) : $this
Parameters
$domain : string
Tags
since
8.1.0
Return values
$this

disallowImageDomain()

Remove the specified allowed image domain from the allowed domains.

public disallowImageDomain(string $domain) : $this
Parameters
$domain : string
Tags
since
8.1.0
Return values
$this

disallowMediaDomain()

Remove the specified allowed media domain from the allowed domains.

public disallowMediaDomain(string $domain) : $this
Parameters
$domain : string
Tags
since
8.1.0
Return values
$this

disallowObjectDomain()

Remove the specified allowed object domain from the allowed domains.

public disallowObjectDomain(string $domain) : $this
Parameters
$domain : string
Tags
since
8.1.0
Return values
$this

disallowScriptDomain()

Remove the specified allowed script domain from the allowed domains.

public disallowScriptDomain(string $domain) : $this
Parameters
$domain : string
Tags
since
8.1.0
Return values
$this

disallowStyleDomain()

Remove the specified allowed style domain from the allowed domains.

public disallowStyleDomain(string $domain) : $this
Parameters
$domain : string
Tags
since
8.1.0
Return values
$this

disallowWorkerSrcDomain()

Remove domain from which workers can be loaded

public disallowWorkerSrcDomain(string $domain) : $this
Parameters
$domain : string
Tags
since
15.0.0
Return values
$this

useJsNonce()

Use the according JS nonce This method is only for CSPMiddleware, custom values are ignored in mergePolicies of ContentSecurityPolicyManager

public useJsNonce(string $nonce) : $this
Parameters
$nonce : string
Tags
since
11.0.0
Return values
$this

Search results