public function testGetPolicyDisallowFontDomainMultipleStakes() { $expectedPolicy = "default-src 'none';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self'"; $this->contentSecurityPolicy->addAllowedFontDomain('www.owncloud.com'); $this->contentSecurityPolicy->disallowFontDomain('www.owncloud.org')->disallowFontDomain('www.owncloud.com'); $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy()); }
/** * @NoAdminRequired * @NoCSRFRequired * * @param int $accountId * @param string $folderId * @param string $messageId * @return \OCA\Mail\Http\HtmlResponse */ public function getHtmlBody($accountId, $folderId, $messageId) { try { $mailBox = $this->getFolder($accountId, $folderId); $m = $mailBox->getMessage($messageId, true); $html = $m->getHtmlBody($accountId, $folderId, $messageId, function ($cid) use($m) { $match = array_filter($m->attachments, function ($a) use($cid) { return $a['cid'] === $cid; }); $match = array_shift($match); if (is_null($match)) { return null; } return $match['id']; }); $htmlResponse = new HtmlResponse($html); // Harden the default security policy // FIXME: Remove once ownCloud 8.1 is a requirement for the mail app if (class_exists('\\OCP\\AppFramework\\Http\\ContentSecurityPolicy')) { $policy = new ContentSecurityPolicy(); $policy->allowEvalScript(false); $policy->disallowScriptDomain('\'self\''); $policy->disallowConnectDomain('\'self\''); $policy->disallowFontDomain('\'self\''); $policy->disallowMediaDomain('\'self\''); $htmlResponse->setContentSecurityPolicy($policy); } // Enable caching $htmlResponse->cacheFor(60 * 60); $htmlResponse->addHeader('Pragma', 'cache'); return $htmlResponse; } catch (\Exception $ex) { return new TemplateResponse($this->appName, 'error', ['message' => $ex->getMessage()], 'none'); } }