nextcloud-server

Commit Graph

Author	SHA1	Message	Date
Roeland Jago Douma	e351ba56f1	Move browserSupportsCspV3 to CSPNonceManager Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	9 years ago
Lukas Reschke	9e6634814e	Add support for CSP nonces CSP nonces are a feature available with CSP v2. Basically instead of saying "JS resources from the same domain are ok to be served" we now say "Ressources from everywhere are allowed as long as they add a `nonce` attribute to the script tag with the right nonce. At the moment the nonce is basically just a `<?php p(base64_encode($_['requesttoken'])) ?>`, we have to decode the requesttoken since `:` is not an allowed value in the nonce. So if somebody does on their own include JS files (instead of using the `addScript` public API, they now must also include that attribute.) IE does currently not implement CSP v2, thus there is a whitelist included that delivers the new CSP v2 policy to newer browsers. Check http://caniuse.com/#feat=contentsecuritypolicy2 for the current browser support list. An alternative approach would be to just add `'unsafe-inline'` as well as `'unsafe-inline'` is ignored by CSPv2 when a nonce is set. But this would make this security feature unusable at all in IE. Not worth it at the moment IMO. Implementing this offers the following advantages: 1. Security: As we host resources from the same domain by design we don't have to worry about 'self' anymore being in the whitelist 2. Performance: We can move oc.js again to inline JS. This makes the loading way quicker as we don't have to load on every load of a new web page a blocking dynamically non-cached JavaScript file. If you want to toy with CSP see also https://csp-evaluator.withgoogle.com/ Signed-off-by: Lukas Reschke <lukas@statuscode.ch>	9 years ago
Roeland Jago Douma	7c078a81b4	Add trict CSP to OCS responses If a repsonse now explicitly has the Empty CSP set then the middleware won't touch it.	9 years ago
Roeland Jago Douma	5c718b13b8	We should properly check for 'true' instaed of the bool	10 years ago
Roeland Jago Douma	f7f5216aa3	Dark hackery to not always disable CSRF for OCS controllers	10 years ago
Joas Schilling	ba87db3fcc	Fix others	10 years ago
Lukas Reschke	a299fa38a9	[master] Port Same-Site Cookies to master Fixes https://github.com/nextcloud/server/issues/50	10 years ago
Lukas Reschke	aba539703c	Update license headers	10 years ago
Roeland Jago Douma	4eebccd81f	Fix inconsistent nameing of AppFramework	10 years ago
Roeland Jago Douma	1d33a5ef13	Move \OC\AppFramework to PSR-4 * Also moved the autoloader setup a bit up since we need it in initpaths	10 years ago
Lukas Reschke	331e4efacb	Move login form into controller First step on getting the authorisation stuff cleaned up. This is only for the login form, all other stuff is still where it is.	10 years ago
Stefan Weil	b1a856d7b7	lib: Fix typos (found by codespell) Signed-off-by: Stefan Weil <sw@weilnetz.de>	10 years ago
Lukas Reschke	c353d51810	Remove Scrutinizer Auto Fixer	10 years ago
Lukas Reschke	809ff5ac95	Add public API to give developers the possibility to adjust the global CSP defaults Allows to inject something into the default content policy. This is for example useful when you're injecting Javascript code into a view belonging to another controller and cannot modify its Content-Security-Policy itself. Note that the adjustment is only applied to applications that use AppFramework controllers. To use this from your `app.php` use `\OC::$server->getContentSecurityPolicyManager()->addDefaultPolicy($policy)`, $policy has to be of type `\OCP\AppFramework\Http\ContentSecurityPolicy`. To test this add something like the following into an `app.php` of any enabled app: ``` $manager = \OC::$server->getContentSecurityPolicyManager(); $policy = new \OCP\AppFramework\Http\ContentSecurityPolicy(false); $policy->addAllowedFrameDomain('asdf'); $policy->addAllowedScriptDomain('yolo.com'); $policy->allowInlineScript(false); $manager->addDefaultPolicy($policy); $policy = new \OCP\AppFramework\Http\ContentSecurityPolicy(false); $policy->addAllowedFontDomain('yolo.com'); $manager->addDefaultPolicy($policy); $policy = new \OCP\AppFramework\Http\ContentSecurityPolicy(false); $policy->addAllowedFrameDomain('banana.com'); $manager->addDefaultPolicy($policy); ``` If you now open the files app the policy should be: ``` Content-Security-Policy:default-src 'none';script-src yolo.com 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src yolo.com 'self';connect-src 'self';media-src 'self';frame-src asdf banana.com 'self' ```	10 years ago
Thomas Müller	682821c71e	Happy new year!	10 years ago
Scrutinizer Auto-Fixer	ffc49a24f0	Scrutinizer Auto-Fixes This commit consists of patches automatically generated for this project on https://scrutinizer-ci.com	10 years ago
Lukas Reschke	f4eb15d340	Show error template Otherwise this leads to an endless redirection in case of a CSRF exception. Also sets user expectation right.	10 years ago
Lukas Reschke	7dda86f371	Return proper status code in case of a CORS exception When returning a 500 statuscode external applications may interpret this as an error instead of handling this more gracefully. This will now make return a 401 thus. Fixes https://github.com/owncloud/core/issues/17742	11 years ago
Jenkins for ownCloud	b585d87d9d	Update license headers	11 years ago
Morris Jobke	06aef4e8b1	Revert "Updating license headers" This reverts commit `6a1a4880f0`.	11 years ago
Jenkins for ownCloud	6a1a4880f0	Updating license headers	11 years ago
Lukas Reschke	07f0d76fc6	Move CSRF check Because we're closing the session now before controllers are executed there are cases where we cannot write the session.	11 years ago
Lukas Reschke	cd5925036a	Check if app is enabled for user Fixes https://github.com/owncloud/core/issues/12188 for AppFramework apps	11 years ago
Morris Jobke	b6a4cc20f7	Redirect after session expiry to the previous loaded page * fixes #6945	12 years ago
Bernhard Posselt	5e9ea2b365	fix 8757, get rid of service locator antipattern	12 years ago
Bernhard Posselt	1d45239c65	adjust license headers to new mail address	12 years ago
Bernhard Posselt	c590244fa1	add private property for reflector in security middleware	12 years ago
Bernhard Posselt	80648da431	implement most of the basic stuff that was suggested in #8290	12 years ago
Bernhard Posselt	7e447f4f42	make download and redirectresponse public	12 years ago
Scrutinizer Auto-Fixer	adaee6a5a1	Scrutinizer Auto-Fixes This patch was automatically generated as part of the following inspection: https://scrutinizer-ci.com/g/owncloud/core/inspections/cdfecc4e-a37e-4233-8025-f0d7252a8720 Enabled analysis tools: - PHP Analyzer - JSHint - PHP Copy/Paste Detector - PHP PDepend	12 years ago
Thomas Tanghus	ad017285e1	Fix namespace for OCP\Appframework\Http To avoid having to use OCP\Appframework\Http\Http in the public - and stable - API OCP\Appframework\Http is now both a class and a namespace.	12 years ago
Thomas Müller	54e77e0e66	fixing typo	12 years ago
Thomas Müller	e071bfc144	fixing SecurityMiddleware to use OC6 API	12 years ago
Thomas Tanghus	c85621a897	Make abstract Middleware class public It doesn't make sense for subclasses to have to implement all methods.	12 years ago
Thomas Tanghus	8603f956ab	Get urlParams registered before Request is instantiated	12 years ago
Thomas Müller	9c9dc276b7	move the private namespace OC into lib/private - OCP will stay in lib/public Conflicts: lib/private/vcategories.php	12 years ago
Thomas Müller	911bd3c16f	moving response classes over to OCP	13 years ago
Thomas Müller	395deacc67	reducing controller annotations to: @PublicPage - No user logon is expected @NoAdminRequired - the login user requires no admin rights @NoCSRFRequired - the incoming request will not check for CSRF token	13 years ago
Thomas Müller	fde9cabe97	initial import of appframework	13 years ago

10 Commits (311531ecce497663960877fc536ba94deff27bc0)