public function testGetPolicyObjectDomainValidMultiple()
{
$expectedPolicy = "default-src 'none';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self';font-src 'self';connect-src 'self';media-src 'self';object-src www.owncloud.com www.owncloud.org";
$this->contentSecurityPolicy->addAllowedObjectDomain('www.owncloud.com');
$this->contentSecurityPolicy->addAllowedObjectDomain('www.owncloud.org');
$this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
}
public function testGetPolicyDisallowObjectDomainMultipleStakes()
{
$expectedPolicy = "default-src 'none';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self'";
$this->contentSecurityPolicy->addAllowedObjectDomain('www.owncloud.com');
$this->contentSecurityPolicy->disallowObjectDomain('www.owncloud.org')->disallowObjectDomain('www.owncloud.com');
$this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
}
/**
* @PublicPage
* @NoCSRFRequired
*
* @return TemplateResponse
*/
public function showLibreOnline()
{
$params = ['urlGenerator' => $this->urlGenerator];
$response = new TemplateResponse($this->appName, 'online', $params, 'blank');
$policy = new ContentSecurityPolicy();
$policy->addAllowedChildSrcDomain('*');
$policy->addAllowedScriptDomain("*");
$policy->addAllowedConnectDomain("*");
$policy->addAllowedStyleDomain("*");
$policy->addAllowedMediaDomain("*");
$policy->addAllowedFontDomain('*');
$policy->addAllowedImageDomain('*');
$policy->addAllowedFrameDomain('*');
$policy->addAllowedObjectDomain('*');
$policy->allowInlineScript(True);
$policy->allowInlineStyle(True);
$policy->allowEvalScript(True);
$response->setContentSecurityPolicy($policy);
return $response;
}
/**
* CAUTION: the @Stuff turn off security checks, for this page no admin is
* required and no CSRF check. If you don't know what CSRF is, read
* it up in the docs or you might create a security hole. This is
* basically the only required method to add this exemption, don't
* add it to any other method if you don't exactly know what it does
*
* @NoAdminRequired
* @NoCSRFRequired
*/
public function index()
{
$conf = \OCP\CONFIG::getUserValue(\OCP\User::getUser(), 'firstpassmanrun', 'show', 1);
$params = array('user' => $this->userId);
$conf = $this->userId === 'test' ? 1 : $conf;
if ($conf == 1) {
\OCP\Util::addscript('passman', 'firstrun');
$exampleItems = array();
$exampleItems[0] = array('label' => 'Item 1', 'tags' => array(array('text' => 'Example tag'), array('text' => 'Example tag 2')));
$exampleItems[1] = array('label' => 'Item 2', 'tags' => array(array('text' => 'Example tag 2'), array('text' => 'Example tag 3')));
foreach ($exampleItems as $key => $val) {
$this->itemAPI->create('', '', '', '', '', $val['label'], '', '', '', '', $val['tags'], array());
}
}
$response = new TemplateResponse('passman', 'main', $params);
$csp = new ContentSecurityPolicy();
$csp->addAllowedObjectDomain('\'self\'');
$csp->addAllowedImageDomain('data:');
$response->setContentSecurityPolicy($csp);
return $response;
// templates/main.php
}