/**
* CAUTION: the @Stuff turn off security checks, for this page no admin is
* required and no CSRF check. If you don't know what CSRF is, read
* it up in the docs or you might create a security hole. This is
* basically the only required method to add this exemption, don't
* add it to any other method if you don't exactly know what it does
*
* @NoAdminRequired
* @NoCSRFRequired
*/
public function index()
{
$params = array('user' => $this->userId, 'devices' => $this->deviceMapper->findAll($this->userId));
$response = new TemplateResponse('maps', 'main', $params);
if (class_exists('OCP\\AppFramework\\Http\\ContentSecurityPolicy')) {
$csp = new \OCP\AppFramework\Http\ContentSecurityPolicy();
// map tiles
$csp->addAllowedImageDomain('http://*.mqcdn.com');
// marker icons
$csp->addAllowedImageDomain('https://api.tiles.mapbox.com');
// inline images
$csp->addAllowedScriptDomain('data:');
$response->setContentSecurityPolicy($csp);
}
return $response;
// templates/main.php
}
<?php
/**
* owncloud_piwik
*
* Copyright (c) 2015 Klaus Herberth <*****@*****.**> <br>
* Released under the MIT license
*
* @author Klaus Herberth <*****@*****.**>
* @license MIT
*/
OCP\App::registerAdmin('piwik', 'settings-admin');
$internal = OCP\Config::getAppValue('piwik', 'internal');
if ($internal === 'yes') {
OCP\Util::addScript('piwik', 'piwik');
}
if (class_exists('\\OCP\\AppFramework\\Http\\ContentSecurityPolicy')) {
$piwik = json_decode(OCP\Config::getAppValue('piwik', 'piwik'));
$url = parse_url($piwik->url, PHP_URL_HOST);
if ($_SERVER['HTTP_HOST'] !== $url) {
$policy = new OCP\AppFramework\Http\ContentSecurityPolicy();
$policy->addAllowedScriptDomain($url);
$policy->addAllowedImageDomain($url);
\OC::$server->getContentSecurityPolicyManager()->addDefaultPolicy($policy);
}
}
OCP\Util::addScript('piwik', 'track');
