/** * @NoAdminRequired * @NoCSRFRequired */ public function index() { if (substr(\OC_Util::getHumanVersion(), 0, 3) != '8.0') { // OC >= 8.1 $response = new TemplateResponse('passwords', 'main'); $csp = new ContentSecurityPolicy(); $csp->addAllowedImageDomain('https://icons.duckduckgo.com'); $csp->addAllowedImageDomain('https://www.google.com'); $response->setContentSecurityPolicy($csp); return $response; } else { // OC =< 8.0.4 return new TemplateResponse('passwords', 'main'); } }
public function testGetPolicyImageDomainValidMultiple() { $expectedPolicy = "default-src 'none';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' www.owncloud.com www.owncloud.org;font-src 'self';connect-src 'self';media-src 'self'"; $this->contentSecurityPolicy->addAllowedImageDomain('www.owncloud.com'); $this->contentSecurityPolicy->addAllowedImageDomain('www.owncloud.org'); $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy()); }
/** * @NoAdminRequired * @NoCSRFRequired */ public function index() { $status = $this->statusService->getStatus(); $response = new TemplateResponse($this->appName, 'index', ['cronWarning' => $status['warnings']['improperlyConfiguredCron']]); $csp = new ContentSecurityPolicy(); $csp->addAllowedImageDomain('*')->addAllowedMediaDomain('*')->addAllowedConnectDomain('*')->addAllowedFrameDomain('https://youtube.com')->addAllowedFrameDomain('https://www.youtube.com')->addAllowedFrameDomain('https://player.vimeo.com')->addAllowedFrameDomain('https://www.player.vimeo.com'); $response->setContentSecurityPolicy($csp); return $response; }
/** * CAUTION: the @Stuff turn off security checks, for this page no admin is * required and no CSRF check. If you don't know what CSRF is, read * it up in the docs or you might create a security hole. This is * basically the only required method to add this exemption, don't * add it to any other method if you don't exactly know what it does * * @NoAdminRequired * @NoCSRFRequired */ public function index() { $params = array('user' => $this->userId); $csp = new \OCP\AppFramework\Http\ContentSecurityPolicy(); $csp->addAllowedImageDomain('data:'); $response = new TemplateResponse('ownnote', 'main', $params); $response->setContentSecurityPolicy($csp); return $response; }
/** * @PublicPage * @NoCSRFRequired * * @return TemplateResponse */ public function showPdfViewer() { $params = ['urlGenerator' => $this->urlGenerator]; $response = new TemplateResponse($this->appName, 'viewer', $params, 'blank'); $policy = new ContentSecurityPolicy(); $policy->addAllowedChildSrcDomain('\'self\''); $policy->addAllowedFontDomain('data:'); $policy->addAllowedImageDomain('*'); $response->setContentSecurityPolicy($policy); return $response; }
public function testShowPdfViewer() { $params = ['urlGenerator' => $this->urlGenerator]; $expectedResponse = new TemplateResponse($this->appName, 'viewer', $params, 'blank'); $policy = new ContentSecurityPolicy(); $policy->addAllowedChildSrcDomain('\'self\''); $policy->addAllowedFontDomain('data:'); $policy->addAllowedImageDomain('*'); $expectedResponse->setContentSecurityPolicy($policy); $this->assertEquals($expectedResponse, $this->controller->showPdfViewer()); }
/** * @NoCSRFRequired * @return TemplateResponse */ public function viewApps() { $params = []; $params['experimentalEnabled'] = $this->config->getSystemValue('appstore.experimental.enabled', false); $this->navigationManager->setActiveEntry('core_apps'); $templateResponse = new TemplateResponse($this->appName, 'apps', $params, 'user'); $policy = new ContentSecurityPolicy(); $policy->addAllowedImageDomain('https://apps.owncloud.com'); $templateResponse->setContentSecurityPolicy($policy); return $templateResponse; }
/** * CAUTION: the @Stuff turn off security checks, for this page no admin is * required and no CSRF check. If you don't know what CSRF is, read * it up in the docs or you might create a security hole. This is * basically the only required method to add this exemption, don't * add it to any other method if you don't exactly know what it does * * @NoAdminRequired * @NoCSRFRequired */ public function index() { $params = array('user' => $this->userId); $response = new TemplateResponse('ownmnote', 'main', $params); $ocVersion = \OCP\Util::getVersion(); if ($ocVersion[0] > 8 || $ocVersion[0] == 8 && $ocVersion[1] >= 1) { $csp = new \OCP\AppFramework\Http\ContentSecurityPolicy(); $csp->addAllowedImageDomain('data:'); $response->setContentSecurityPolicy($csp); } return $response; }
/** * @PublicPage * @NoCSRFRequired * * @return TemplateResponse */ public function showReader() { $params = ['urlGenerator' => $this->urlGenerator]; $response = new TemplateResponse($this->appName, 'reader', $params, 'blank'); $csp = new ContentSecurityPolicy(); $csp->addAllowedChildSrcDomain('\'self\''); $csp->addAllowedFrameDomain('\'self\''); $csp->addAllowedStyleDomain('blob:'); $csp->addAllowedImageDomain('blob:'); $response->setContentSecurityPolicy($csp); return $response; }
/** * @NoAdminRequired * @NoCSRFRequired * * @return TemplateResponse */ public function index() { $lastViewedNote = (int) $this->settings->getUserValue($this->userId, $this->appName, 'notesLastViewedNote'); // check if note exists try { $this->notesService->get($lastViewedNote, $this->userId); } catch (NoteDoesNotExistException $ex) { $lastViewedNote = 0; } $response = new TemplateResponse($this->appName, 'main', ['lastViewedNote' => $lastViewedNote]); $csp = new ContentSecurityPolicy(); $csp->addAllowedImageDomain('*'); $response->setContentSecurityPolicy($csp); return $response; }
/** * @NoAdminRequired * @NoCSRFRequired */ public function index() { \OC::$server->getNavigationManager()->setActiveEntry('documents_index'); $maxUploadFilesize = \OCP\Util::maxUploadFilesize("/"); $response = new TemplateResponse('documents', 'documents', ['enable_previews' => $this->settings->getSystemValue('enable_previews', true), 'useUnstable' => $this->settings->getAppValue('documents', 'unstable', 'false'), 'savePath' => $this->settings->getUserValue($this->uid, 'documents', 'save_path', '/'), 'uploadMaxFilesize' => $maxUploadFilesize, 'uploadMaxHumanFilesize' => \OCP\Util::humanFileSize($maxUploadFilesize), 'allowShareWithLink' => $this->settings->getAppValue('core', 'shareapi_allow_links', 'yes')]); $policy = new ContentSecurityPolicy(); //$policy->addAllowedChildSrcDomain('\'self\' http://ajax.googleapis.com/ajax/libs/jquery/2.1.0/jquery.min.js http://cdnjs.cloudflare.com/ajax/libs/jquery-mousewheel/3.1.12/jquery.mousewheel.min.js \'unsafe-eval\''); $policy->addAllowedScriptDomain('\'self\' http://ajax.googleapis.com/ajax/libs/jquery/2.1.0/jquery.min.js http://cdnjs.cloudflare.com/ajax/libs/jquery-mousewheel/3.1.12/jquery.mousewheel.min.js \'unsafe-eval\''); $policy->addAllowedFrameDomain('\'self\' http://ajax.googleapis.com/ajax/libs/jquery/2.1.0/jquery.min.js http://cdnjs.cloudflare.com/ajax/libs/jquery-mousewheel/3.1.12/jquery.mousewheel.min.js \'unsafe-eval\''); $policy->addAllowedConnectDomain('ws://' . $_SERVER['SERVER_NAME'] . ':9980'); $policy->addAllowedImageDomain('*'); $policy->allowInlineScript(true); $policy->addAllowedFontDomain('data:'); $response->setContentSecurityPolicy($policy); return $response; }
/** * @PublicPage * @NoCSRFRequired * * @return TemplateResponse */ public function showLibreOnline() { $params = ['urlGenerator' => $this->urlGenerator]; $response = new TemplateResponse($this->appName, 'online', $params, 'blank'); $policy = new ContentSecurityPolicy(); $policy->addAllowedChildSrcDomain('*'); $policy->addAllowedScriptDomain("*"); $policy->addAllowedConnectDomain("*"); $policy->addAllowedStyleDomain("*"); $policy->addAllowedMediaDomain("*"); $policy->addAllowedFontDomain('*'); $policy->addAllowedImageDomain('*'); $policy->addAllowedFrameDomain('*'); $policy->addAllowedObjectDomain('*'); $policy->allowInlineScript(True); $policy->allowInlineStyle(True); $policy->allowEvalScript(True); $response->setContentSecurityPolicy($policy); return $response; }
/** * CAUTION: the @Stuff turn off security checks, for this page no admin is * required and no CSRF check. If you don't know what CSRF is, read * it up in the docs or you might create a security hole. This is * basically the only required method to add this exemption, don't * add it to any other method if you don't exactly know what it does * * @NoAdminRequired * @NoCSRFRequired */ public function index() { $conf = \OCP\CONFIG::getUserValue(\OCP\User::getUser(), 'firstpassmanrun', 'show', 1); $params = array('user' => $this->userId); $conf = $this->userId === 'test' ? 1 : $conf; if ($conf == 1) { \OCP\Util::addscript('passman', 'firstrun'); $exampleItems = array(); $exampleItems[0] = array('label' => 'Item 1', 'tags' => array(array('text' => 'Example tag'), array('text' => 'Example tag 2'))); $exampleItems[1] = array('label' => 'Item 2', 'tags' => array(array('text' => 'Example tag 2'), array('text' => 'Example tag 3'))); foreach ($exampleItems as $key => $val) { $this->itemAPI->create('', '', '', '', '', $val['label'], '', '', '', '', $val['tags'], array()); } } $response = new TemplateResponse('passman', 'main', $params); $csp = new ContentSecurityPolicy(); $csp->addAllowedObjectDomain('\'self\''); $csp->addAllowedImageDomain('data:'); $response->setContentSecurityPolicy($csp); return $response; // templates/main.php }
public function testViewApps() { $this->config ->expects($this->once()) ->method('getSystemValue') ->with('appstore.experimental.enabled', false); $this->navigationManager ->expects($this->once()) ->method('setActiveEntry') ->with('core_apps'); $policy = new ContentSecurityPolicy(); $policy->addAllowedImageDomain('https://apps.owncloud.com'); $expected = new TemplateResponse('settings', 'apps', ['experimentalEnabled' => false], 'user'); $expected->setContentSecurityPolicy($policy); $this->assertEquals($expected, $this->appSettingsController->viewApps()); }
/** * @NoAdminRequired * @NoCSRFRequired */ public function index() { $wopiRemote = $this->appConfig->getAppValue('wopi_url'); if (($parts = parse_url($wopiRemote)) && isset($parts['scheme']) && isset($parts['host'])) { $webSocketProtocol = "ws://"; if ($parts['scheme'] == "https") { $webSocketProtocol = "wss://"; } $webSocket = sprintf("%s%s%s", $webSocketProtocol, $parts['host'], isset($parts['port']) ? ":" . $parts['port'] : ""); } else { return $this->responseError($this->l10n->t('Collabora Online: Invalid URL "%s".', array($wopiRemote)), $this->l10n->t('Please ask your administrator to check the Collabora Online server setting.')); } \OC::$server->getNavigationManager()->setActiveEntry('richdocuments_index'); $maxUploadFilesize = \OCP\Util::maxUploadFilesize("/"); $response = new TemplateResponse('richdocuments', 'documents', ['enable_previews' => $this->settings->getSystemValue('enable_previews', true), 'uploadMaxFilesize' => $maxUploadFilesize, 'uploadMaxHumanFilesize' => \OCP\Util::humanFileSize($maxUploadFilesize), 'allowShareWithLink' => $this->settings->getAppValue('core', 'shareapi_allow_links', 'yes'), 'wopi_url' => $webSocket]); $policy = new ContentSecurityPolicy(); $policy->addAllowedScriptDomain('\'self\' http://ajax.googleapis.com/ajax/libs/jquery/2.1.0/jquery.min.js http://cdnjs.cloudflare.com/ajax/libs/jquery-mousewheel/3.1.12/jquery.mousewheel.min.js \'unsafe-eval\' ' . $wopiRemote); /* frame-src is deprecated on Firefox, but Safari wants it! */ $policy->addAllowedFrameDomain('\'self\' http://ajax.googleapis.com/ajax/libs/jquery/2.1.0/jquery.min.js http://cdnjs.cloudflare.com/ajax/libs/jquery-mousewheel/3.1.12/jquery.mousewheel.min.js \'unsafe-eval\' ' . $wopiRemote); $policy->addAllowedChildSrcDomain('\'self\' http://ajax.googleapis.com/ajax/libs/jquery/2.1.0/jquery.min.js http://cdnjs.cloudflare.com/ajax/libs/jquery-mousewheel/3.1.12/jquery.mousewheel.min.js \'unsafe-eval\' ' . $wopiRemote); $policy->addAllowedConnectDomain($webSocket); $policy->addAllowedImageDomain('*'); $policy->allowInlineScript(true); $policy->addAllowedFontDomain('data:'); $response->setContentSecurityPolicy($policy); return $response; }
/** * @NoCSRFRequired * @param string $category * @return TemplateResponse */ public function viewApps($category = '') { $categoryId = $this->getCategory($category); if ($categoryId === self::CAT_ENABLED) { // Do not use an arbitrary input string, because we put the category in html $category = 'enabled'; } $params = []; $params['experimentalEnabled'] = $this->config->getSystemValue('appstore.experimental.enabled', false); $params['category'] = $category; $params['appstoreEnabled'] = $this->config->getSystemValue('appstoreenabled', true) === true; $this->navigationManager->setActiveEntry('core_apps'); $templateResponse = new TemplateResponse($this->appName, 'apps', $params, 'user'); $policy = new ContentSecurityPolicy(); $policy->addAllowedImageDomain('https://apps.owncloud.com'); $templateResponse->setContentSecurityPolicy($policy); return $templateResponse; }
/** * Adds the domain "data:" to the allowed image domains * this function is called by reference * * @param TemplateResponse $response */ private function addContentSecurityToResponse($response) { $csp = new Http\ContentSecurityPolicy(); $csp->addAllowedImageDomain("data:"); $response->setContentSecurityPolicy($csp); }