public function testGetPolicyFontDomainValidMultiple()
{
$expectedPolicy = "default-src 'none';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self';font-src 'self' www.owncloud.com www.owncloud.org;connect-src 'self';media-src 'self'";
$this->contentSecurityPolicy->addAllowedFontDomain('www.owncloud.com');
$this->contentSecurityPolicy->addAllowedFontDomain('www.owncloud.org');
$this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
}
public function testShowPdfViewer()
{
$params = ['urlGenerator' => $this->urlGenerator];
$expectedResponse = new TemplateResponse($this->appName, 'viewer', $params, 'blank');
$policy = new ContentSecurityPolicy();
$policy->addAllowedChildSrcDomain('\'self\'');
$policy->addAllowedFontDomain('data:');
$expectedResponse->setContentSecurityPolicy($policy);
$this->assertEquals($expectedResponse, $this->controller->showPdfViewer());
}
/**
* @PublicPage
* @NoCSRFRequired
*
* @return TemplateResponse
*/
public function showPdfViewer()
{
$params = ['urlGenerator' => $this->urlGenerator];
$response = new TemplateResponse($this->appName, 'viewer', $params, 'blank');
$policy = new ContentSecurityPolicy();
$policy->addAllowedChildSrcDomain('\'self\'');
$policy->addAllowedFontDomain('data:');
$response->setContentSecurityPolicy($policy);
return $response;
}
/**
* @NoAdminRequired
* @NoCSRFRequired
*/
public function index()
{
\OC::$server->getNavigationManager()->setActiveEntry('documents_index');
$maxUploadFilesize = \OCP\Util::maxUploadFilesize("/");
$response = new TemplateResponse('documents', 'documents', ['enable_previews' => $this->settings->getSystemValue('enable_previews', true), 'useUnstable' => $this->settings->getAppValue('documents', 'unstable', 'false'), 'savePath' => $this->settings->getUserValue($this->uid, 'documents', 'save_path', '/'), 'uploadMaxFilesize' => $maxUploadFilesize, 'uploadMaxHumanFilesize' => \OCP\Util::humanFileSize($maxUploadFilesize), 'allowShareWithLink' => $this->settings->getAppValue('core', 'shareapi_allow_links', 'yes')]);
$policy = new ContentSecurityPolicy();
//$policy->addAllowedChildSrcDomain('\'self\' http://ajax.googleapis.com/ajax/libs/jquery/2.1.0/jquery.min.js http://cdnjs.cloudflare.com/ajax/libs/jquery-mousewheel/3.1.12/jquery.mousewheel.min.js \'unsafe-eval\'');
$policy->addAllowedScriptDomain('\'self\' http://ajax.googleapis.com/ajax/libs/jquery/2.1.0/jquery.min.js http://cdnjs.cloudflare.com/ajax/libs/jquery-mousewheel/3.1.12/jquery.mousewheel.min.js \'unsafe-eval\'');
$policy->addAllowedFrameDomain('\'self\' http://ajax.googleapis.com/ajax/libs/jquery/2.1.0/jquery.min.js http://cdnjs.cloudflare.com/ajax/libs/jquery-mousewheel/3.1.12/jquery.mousewheel.min.js \'unsafe-eval\'');
$policy->addAllowedConnectDomain('ws://' . $_SERVER['SERVER_NAME'] . ':9980');
$policy->addAllowedImageDomain('*');
$policy->allowInlineScript(true);
$policy->addAllowedFontDomain('data:');
$response->setContentSecurityPolicy($policy);
return $response;
}
/**
* @PublicPage
* @NoCSRFRequired
*
* @return TemplateResponse
*/
public function showLibreOnline()
{
$params = ['urlGenerator' => $this->urlGenerator];
$response = new TemplateResponse($this->appName, 'online', $params, 'blank');
$policy = new ContentSecurityPolicy();
$policy->addAllowedChildSrcDomain('*');
$policy->addAllowedScriptDomain("*");
$policy->addAllowedConnectDomain("*");
$policy->addAllowedStyleDomain("*");
$policy->addAllowedMediaDomain("*");
$policy->addAllowedFontDomain('*');
$policy->addAllowedImageDomain('*');
$policy->addAllowedFrameDomain('*');
$policy->addAllowedObjectDomain('*');
$policy->allowInlineScript(True);
$policy->allowInlineStyle(True);
$policy->allowEvalScript(True);
$response->setContentSecurityPolicy($policy);
return $response;
}
/**
* Adds the domain "data:" to the allowed image domains
* this function is called by reference
*
* @param TemplateResponse $response
*/
private function addContentSecurityToResponse($response)
{
$csp = new Http\ContentSecurityPolicy();
$csp->addAllowedFontDomain("data:");
$response->setContentSecurityPolicy($csp);
}
/**
* @NoAdminRequired
* @NoCSRFRequired
*/
public function index()
{
$wopiRemote = $this->appConfig->getAppValue('wopi_url');
if (($parts = parse_url($wopiRemote)) && isset($parts['scheme']) && isset($parts['host'])) {
$webSocketProtocol = "ws://";
if ($parts['scheme'] == "https") {
$webSocketProtocol = "wss://";
}
$webSocket = sprintf("%s%s%s", $webSocketProtocol, $parts['host'], isset($parts['port']) ? ":" . $parts['port'] : "");
} else {
return $this->responseError($this->l10n->t('Collabora Online: Invalid URL "%s".', array($wopiRemote)), $this->l10n->t('Please ask your administrator to check the Collabora Online server setting.'));
}
\OC::$server->getNavigationManager()->setActiveEntry('richdocuments_index');
$maxUploadFilesize = \OCP\Util::maxUploadFilesize("/");
$response = new TemplateResponse('richdocuments', 'documents', ['enable_previews' => $this->settings->getSystemValue('enable_previews', true), 'uploadMaxFilesize' => $maxUploadFilesize, 'uploadMaxHumanFilesize' => \OCP\Util::humanFileSize($maxUploadFilesize), 'allowShareWithLink' => $this->settings->getAppValue('core', 'shareapi_allow_links', 'yes'), 'wopi_url' => $webSocket]);
$policy = new ContentSecurityPolicy();
$policy->addAllowedScriptDomain('\'self\' http://ajax.googleapis.com/ajax/libs/jquery/2.1.0/jquery.min.js http://cdnjs.cloudflare.com/ajax/libs/jquery-mousewheel/3.1.12/jquery.mousewheel.min.js \'unsafe-eval\' ' . $wopiRemote);
/* frame-src is deprecated on Firefox, but Safari wants it! */
$policy->addAllowedFrameDomain('\'self\' http://ajax.googleapis.com/ajax/libs/jquery/2.1.0/jquery.min.js http://cdnjs.cloudflare.com/ajax/libs/jquery-mousewheel/3.1.12/jquery.mousewheel.min.js \'unsafe-eval\' ' . $wopiRemote);
$policy->addAllowedChildSrcDomain('\'self\' http://ajax.googleapis.com/ajax/libs/jquery/2.1.0/jquery.min.js http://cdnjs.cloudflare.com/ajax/libs/jquery-mousewheel/3.1.12/jquery.mousewheel.min.js \'unsafe-eval\' ' . $wopiRemote);
$policy->addAllowedConnectDomain($webSocket);
$policy->addAllowedImageDomain('*');
$policy->allowInlineScript(true);
$policy->addAllowedFontDomain('data:');
$response->setContentSecurityPolicy($policy);
return $response;
}
