public function testGetPolicyObjectDomainValidMultiple()
 {
     $expectedPolicy = "default-src 'none';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self';font-src 'self';connect-src 'self';media-src 'self';object-src www.owncloud.com www.owncloud.org";
     $this->contentSecurityPolicy->addAllowedObjectDomain('www.owncloud.com');
     $this->contentSecurityPolicy->addAllowedObjectDomain('www.owncloud.org');
     $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
 }
 public function testGetPolicyDisallowObjectDomainMultipleStakes()
 {
     $expectedPolicy = "default-src 'none';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self'";
     $this->contentSecurityPolicy->addAllowedObjectDomain('www.owncloud.com');
     $this->contentSecurityPolicy->disallowObjectDomain('www.owncloud.org')->disallowObjectDomain('www.owncloud.com');
     $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
 }
 /**
  * @PublicPage
  * @NoCSRFRequired
  *
  * @return TemplateResponse
  */
 public function showLibreOnline()
 {
     $params = ['urlGenerator' => $this->urlGenerator];
     $response = new TemplateResponse($this->appName, 'online', $params, 'blank');
     $policy = new ContentSecurityPolicy();
     $policy->addAllowedChildSrcDomain('*');
     $policy->addAllowedScriptDomain("*");
     $policy->addAllowedConnectDomain("*");
     $policy->addAllowedStyleDomain("*");
     $policy->addAllowedMediaDomain("*");
     $policy->addAllowedFontDomain('*');
     $policy->addAllowedImageDomain('*');
     $policy->addAllowedFrameDomain('*');
     $policy->addAllowedObjectDomain('*');
     $policy->allowInlineScript(True);
     $policy->allowInlineStyle(True);
     $policy->allowEvalScript(True);
     $response->setContentSecurityPolicy($policy);
     return $response;
 }
Exemple #4
0
 /**
  * CAUTION: the @Stuff turn off security checks, for this page no admin is
  *          required and no CSRF check. If you don't know what CSRF is, read
  *          it up in the docs or you might create a security hole. This is
  *          basically the only required method to add this exemption, don't
  *          add it to any other method if you don't exactly know what it does
  *
  * @NoAdminRequired
  * @NoCSRFRequired
  */
 public function index()
 {
     $conf = \OCP\CONFIG::getUserValue(\OCP\User::getUser(), 'firstpassmanrun', 'show', 1);
     $params = array('user' => $this->userId);
     $conf = $this->userId === 'test' ? 1 : $conf;
     if ($conf == 1) {
         \OCP\Util::addscript('passman', 'firstrun');
         $exampleItems = array();
         $exampleItems[0] = array('label' => 'Item 1', 'tags' => array(array('text' => 'Example tag'), array('text' => 'Example tag 2')));
         $exampleItems[1] = array('label' => 'Item 2', 'tags' => array(array('text' => 'Example tag 2'), array('text' => 'Example tag 3')));
         foreach ($exampleItems as $key => $val) {
             $this->itemAPI->create('', '', '', '', '', $val['label'], '', '', '', '', $val['tags'], array());
         }
     }
     $response = new TemplateResponse('passman', 'main', $params);
     $csp = new ContentSecurityPolicy();
     $csp->addAllowedObjectDomain('\'self\'');
     $csp->addAllowedImageDomain('data:');
     $response->setContentSecurityPolicy($csp);
     return $response;
     // templates/main.php
 }