08a3f37695
chore(appframework)!: Drop \OCP\AppFramework\Http\EmptyContentSecurityPolicy::allowInlineScript
...
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2023-06-12 10:03:59 +07:00
5b5895a130
Drop meta robots tag
...
Revert mistake
Signed-off-by: Git'Fellow <12234510+solracsf@users.noreply.github.com>
2023-06-09 18:06:37 +07:00
5b2d5767e1
fix(docs): Fix language and copy-paste class name in docs of CSP
...
Signed-off-by: Joas Schilling <coding@schilljs.com>
2023-05-30 13:39:33 +07:00
ecb8b55c5c
feat(security): Add PHP \Attribute for remaining security annotations
...
Signed-off-by: Joas Schilling <coding@schilljs.com>
2023-04-25 14:50:32 +07:00
89c3c31402
feat(ratelimit): Add Attributes support to rate limit middleware
...
Signed-off-by: Joas Schilling <coding@schilljs.com>
2023-04-24 12:24:48 +07:00
e839eb9b5c
feat(middleware): Migrate BruteForceProtection annotation to PHP Attribute and allow multiple
...
Signed-off-by: Joas Schilling <coding@schilljs.com>
2023-03-08 12:09:22 +07:00
5f90b8eb11
Change X-Robots-Tag header from "none" to "noindex, nofollow"
...
While "none" is indeed equivalent to "noindex, nofollow" for Google, but seems to be not supported by Bing and probably other search engines.
https://developer.mozilla.org/en-US/docs/Web/HTML/Element/meta/name#other_metadata_names
https://developers.google.com/search/docs/crawling-indexing/robots-meta-tag?hl=de#comma-separated-list
https://www.bing.com/webmasters/help/which-robots-metatags-does-bing-support-5198d240
Signed-off-by: MichaIng <micha@dietpi.com>
2023-02-15 20:16:51 +07:00
20e00cdf17
feat(app-framework): Add UseSession attribute to replace annotation
...
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2023-01-27 09:40:35 +07:00
f5c361cf44
composer run cs:fix
...
Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>
2023-01-20 11:45:08 +07:00
82b98b4b9b
Fix typo in deprecated
...
Signed-off-by: Joas Schilling <coding@schilljs.com>
2022-10-04 11:42:24 +07:00
c55ae98a3f
Add description for public and immutable
...
Co-authored-by: Carl Schwan <carl@carlschwan.eu>
Signed-off-by: Daniel <mail@danielkesselberg.de>
2022-09-03 15:58:18 +07:00
855ef21883
Update docblock for cacheFor
...
Signed-off-by: Daniel Kesselberg <mail@danielkesselberg.de>
2022-09-03 15:28:23 +07:00
df89e7fd39
Merge pull request #32485 from nextcloud/debt/noid/psalm-streamer-fh
...
[Psalm] Fix docblock for addFileFromStream
2022-05-31 14:22:05 +07:00
3901a93c72
Use JSON_THROW_ON_ERROR instead of custom error handling
...
Signed-off-by: Julius Härtl <jus@bitgrid.net>
2022-05-30 19:17:49 +07:00
be99ea969e
Fix type for resource
...
Signed-off-by: Daniel Kesselberg <mail@danielkesselberg.de>
2022-05-24 22:05:59 +07:00
ad908cd87a
Make appName of TemplateResponse accessible in BeforeTemplateRenderedEvent
...
Signed-off-by: Joas Schilling <coding@schilljs.com>
2022-05-20 15:03:40 +07:00
7cd356ee7d
Fix psalm warning for zip response due wrong type
...
Signed-off-by: Daniel Kesselberg <mail@danielkesselberg.de>
2022-05-13 15:50:26 +07:00
18c013d8fc
Add CSP policy merge priority for booleans
...
When two booleans conflict when merging CSP policies, true will win.
Signed-off-by: Vincent Petry <vincent@nextcloud.com>
2022-04-01 13:56:34 +07:00
bd03dd37be
Allow to set a strict-dynamic CSP through the API
...
Signed-off-by: Julius Härtl <jus@bitgrid.net>
2022-03-09 15:10:27 +07:00
7dddbd0c35
Improve caching policy
...
* Cache css with version in url. This makes most js and css requests to
be cached by the browser
* Force caching previews, the etag is in the url so that if the propfind
gives a new etag, we will refresh it otherwise it's no use to try to
fetch the new etag and do tons of DB queries
Tested with firefox and 'debug' => false (important so that the js/css
urls are generated with ?v= parameter)
Signed-off-by: Carl Schwan <carl@carlschwan.eu>
2022-02-16 11:35:57 +07:00
c712987878
send request id in response header
...
Signed-off-by: Robin Appelman <robin@icewind.nl>
2022-02-01 14:24:01 +07:00
aa455e71d9
Merge branch 'master' into enhancement/noid/IURLGenerator-linkToDefaultPageUrl
2021-08-04 18:52:55 +07:00
28970563a2
Remove some mentions of ownCloud from our api documentation
...
Signed-off-by: Carl Schwan <carl@carlschwan.eu>
2021-07-29 15:56:30 +07:00
a43de10d1e
Add RedirectToDefaultAppResponse::__construct() annotations
...
Signed-off-by: Daniel Rudolf <github.com@daniel-rudolf.de>
2021-07-01 15:35:09 +07:00
e478db9161
Deprecate RedirectToDefaultAppResponse
...
Signed-off-by: Daniel Rudolf <github.com@daniel-rudolf.de>
2021-07-01 15:13:08 +07:00
2c7186a15f
Remove \OC::$server->getURLGenerator() usage
...
Signed-off-by: Daniel Rudolf <github.com@daniel-rudolf.de>
2021-07-01 15:12:15 +07:00
12059eb65b
Add IUrlGenerator::linkToDefaultPageUrl()
...
Replaces the deprecated \OC_Util::getDefaultPageUrl() and makes this API public.
Signed-off-by: Daniel Rudolf <github.com@daniel-rudolf.de>
2021-06-30 16:20:57 +07:00
9ed379da22
Merge pull request #27635 from nextcloud/fix/datetime-constants
...
Fix usage of DateTime constants
2021-06-23 09:56:28 +07:00
6d5cfe0c66
Move DateTime::RFC2822 to DateTimeInterface::2822
...
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2021-06-23 15:30:43 +07:00
25ab4059c6
Add security.txt
...
Ref https://securitytxt.org
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2021-06-23 13:58:47 +07:00
2ae60b42ab
Merge pull request #26494 from rigrig/fix-php8-deprecations
...
Fix some php 8 warnings
2021-06-07 23:30:59 +07:00
215aef3cbd
Update php licenses
...
Signed-off-by: John Molakvoæ (skjnldsv) <skjnldsv@protonmail.com>
2021-06-04 22:02:41 +07:00
377514aad1
Escape filename in Content-Disposition
...
We should escape all occurences of ' and \ in here.
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2021-06-02 19:22:17 +07:00
a0d265b0b1
Fix a usort comparison function returning a boolean instead of an integer
...
PHP 8 shows deprecation warnings about this, see #25806
Signed-off-by: Richard de Boer <git@tubul.net>
2021-05-29 14:14:52 +07:00
02c011c4f7
Make debugging easier which header is being set
...
Signed-off-by: Joas Schilling <coding@schilljs.com>
2021-03-24 13:22:44 +07:00
08d4458542
Initialize \OCP\AppFramework\Http\ZipResponse::$resources
...
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2021-02-17 19:59:27 +07:00
9ce3ea3368
Update license headers
...
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2020-12-30 14:07:05 +07:00
d89a75be0b
Update all license headers for Nextcloud 21
...
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2020-12-16 18:48:22 +07:00
329ffa257e
Log an error when setting a custom header on "Not Modified" responses
...
Signed-off-by: Joas Schilling <coding@schilljs.com>
2020-12-15 11:24:15 +07:00
71cf92697c
Update comment to reflect current CSP policy
...
JS unsafe-eval was removed a long time ago in https://github.com/nextcloud/server/pull/11028
2020-12-12 21:11:42 +07:00
1e111b2ad2
Fix DataResponse typehints
...
We use this already in several places where we just pass strings or
numbers.
This all works because we just convert it to a json response in the end.
So better to have the typehints reflect this.
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2020-11-19 20:34:42 +07:00
9163790b7c
Set frame-ancestors to none if none are filled
...
frame-ancestors doesn't fall back to default-src. So when we apply a
very restricted CSP we should make sure to set it to 'none' and not
leave it empty.
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2020-11-18 10:13:36 +07:00
fa6a790859
Remove deprecated OCSResponse
...
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2020-11-01 14:12:27 +07:00
d9015a8c94
Format code to a single space around binary operators
...
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2020-10-05 20:25:24 +07:00
8ab2422b6c
Add acutal response to BeforeTemplateRenderedEvent
...
Signed-off-by: Julius Härtl <jus@bitgrid.net>
2020-09-24 20:00:23 +07:00
b5e9f7e846
Merge pull request #22432 from nextcloud/enh/phpdoc
...
Add php docs build script
2020-08-26 21:18:11 +07:00
45a474071e
Remove @package annotations from public namespace
...
Signed-off-by: Julius Härtl <jus@bitgrid.net>
2020-08-26 16:59:40 +07:00
2a054e6c04
Update the license headers for Nextcloud 20
...
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2020-08-24 14:54:25 +07:00
35a8519591
Fix CS
...
Signed-off-by: Joas Schilling <coding@schilljs.com>
2020-08-19 11:20:36 +07:00
e66bc4a8a7
Send "429 Too Many Requests" in case of brute force protection
...
Signed-off-by: Joas Schilling <coding@schilljs.com>
2020-08-19 11:20:35 +07:00
0581356169
Merge pull request #22097 from nextcloud/enh/noid/empty-template
...
Add empty renderAs template
2020-08-05 11:42:29 +07:00
b51746212e
Add base renderAs template
...
Signed-off-by: Julius Härtl <jus@bitgrid.net>
2020-08-04 09:48:43 +07:00
e1b696929f
Move NotFoundResponse to a proper TemplateResponse
...
Signed-off-by: Julius Härtl <jus@bitgrid.net>
2020-07-24 08:58:14 +07:00
49970639fa
Add constants for the magic strings of template rendering
...
Signed-off-by: Joas Schilling <coding@schilljs.com>
2020-07-16 15:47:28 +07:00
c4b53538af
Better event description for BeforeTemplateRenderedEvent in files and files_sharing
...
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2020-07-15 20:15:51 +07:00
7d7ba61625
Add real events to load additionalscripts
...
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2020-07-15 14:07:18 +07:00
b7060be18d
Fix robots "noindex, nofollow" signals
...
Signed-off-by: Joas Schilling <coding@schilljs.com>
2020-06-25 08:29:43 +07:00
fbf9772a3e
Allow to specify the cookie type for appframework responses
...
In general it is good to set them to Lax. But also to give devs more
control over them is not a bad thing.
Helps with #21474
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2020-06-22 08:38:44 +07:00
4fbea316a7
Merge pull request #20897 from nextcloud/bugfix/httpcache
...
Proxy server could cache http response when it is not private
2020-05-13 08:27:05 +07:00
e9be3a9090
Add public argument to Http cacheFor()
...
Signed-off-by: Clement Wong <git@clement.hk>
2020-05-10 20:24:14 +07:00
401210d259
Proxy server could cache http response when it is not private
...
Signed-off-by: Clement Wong <git@clement.hk>
2020-05-10 11:24:08 +07:00
cb057829f7
Update license headers for 19
...
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2020-04-29 11:57:22 +07:00
28f8eb5dba
Add visibility to all constants
...
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2020-04-10 16:54:27 +07:00
caff1023ea
Format control structures, classes, methods and function
...
To continue this formatting madness, here's a tiny patch that adds
unified formatting for control structures like if and loops as well as
classes, their methods and anonymous functions. This basically forces
the constructs to start on the same line. This is not exactly what PSR2
wants, but I think we can have a few exceptions with "our" style. The
starting of braces on the same line is pracrically standard for our
code.
This also removes and empty lines from method/function bodies at the
beginning and end.
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2020-04-10 14:19:56 +07:00
afbd9c4e6e
Unify function spacing to PSR2 recommendation
...
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2020-04-09 13:54:22 +07:00
41b5e5923a
Use exactly one empty line after the namespace declaration
...
For PSR2
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2020-04-09 11:48:10 +07:00
2fbad1ed72
Fix (array) indent style to always use one tab
...
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2020-04-09 10:16:08 +07:00
1a9330cd69
Update the license headers for Nextcloud 19
...
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2020-03-31 14:52:54 +07:00
463b388589
Merge pull request #20170 from nextcloud/techdebt/remove-unused-imports
...
Remove unused imports
2020-03-27 17:14:08 +07:00
b80ebc9674
Use the short array syntax, everywhere
...
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2020-03-26 16:34:56 +07:00
74936c49ea
Remove unused imports
...
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2020-03-25 22:08:08 +07:00
4c01326913
add docs for useJsNonce
...
Signed-off-by: Pavel Krasikov <klonishe@gmail.com>
2020-03-15 17:02:11 +07:00
6127c288e8
Fix license headers
...
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2020-01-13 14:23:49 +07:00
883a71ce8e
Split the menu entry for external shares in two
...
The external shares entry showed a "button" that, when pressed, replaced
the button with the input to set the remote share address. The "button"
was actually a label for the input, so when the label was focused it
transferred the focus to the input and thus pressing enter or space did
not show the input. Moreover, inputs inside links are not valid HTML,
and once shown there was no way to hide the input again.
Due to all this, and for consistency with the direct link input, the
external share input was moved to a different menu item that is shown
and hidden when the button, which nows is also a real button, is
clicked.
Signed-off-by: Daniel Calviño Sánchez <danxuliu@gmail.com>
2019-12-30 10:29:36 +07:00
33b2f4e295
Format HTML elements
...
Signed-off-by: Daniel Calviño Sánchez <danxuliu@gmail.com>
2019-12-30 10:29:36 +07:00
5bf3d1bb38
Update license headers
...
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2019-12-05 15:38:45 +07:00
68748d4f85
Some php-cs fixes
...
* Order the imports
* No leading slash on imports
* Empty line before namespace
* One line per import
* Empty after imports
* Emmpty line at bottom of file
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2019-11-22 20:52:10 +07:00
a85f2f4165
set default CSP on NotFoundResponse
...
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2019-09-09 22:37:12 +07:00
35db32f504
Add deprecation warning
...
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2019-08-29 14:52:50 +07:00
c40fe8b819
Do not enforce the parent constructor of response to be called
...
If there is no policy set we just take the default empty ones.
That way no obscure errors get thrown if the constructor is not called.
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2019-08-19 14:39:34 +07:00
c4cafae884
frame-src doesn't respect the nonce attribute
...
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2019-08-16 21:29:57 +07:00
b8c5008acf
Add feature policy header
...
This adds the events and the classes to modify the feature policy.
It also adds a default restricted feature policy.
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2019-08-10 14:26:22 +07:00
f94ee72507
Add form-action CSP element
...
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2019-07-31 15:16:10 +07:00
cd243b0876
No need to have these classes we tighten the default CSP from time to
...
time
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2019-07-27 14:59:48 +07:00
7276735eb4
Set empty CSP by default
...
For #14179
By default responses should have the strictest (and simplest) CSP
possible. Only template responses should require an actual CSP.
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2019-04-16 14:09:39 +07:00
4d8e1f6c67
CSP: set nonce for iframes
...
This for now uses the jsNonce. That way we can easily backport it.
For 17 I will fix it properly.
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2019-03-16 20:20:03 +07:00
3203d3e806
Allow apps to redirect to the default app
...
Signed-off-by: Joas Schilling <coding@schilljs.com>
2019-03-01 09:19:46 +07:00
b68567e9ba
Add StandaloneTemplateResponse
...
This can be used by pages that do not have the full Nextcloud UI.
So notifications etc do not load there.
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2019-02-06 11:26:18 +07:00
d182037bce
Emit to load additionalscripts
...
Fixes #13662
This will fire of an event after a Template Response has been returned.
There is an event for the generic loading and one when logged in. So
apps can chose to load only on loged in pages.
This is a more generic approach than the files app event. As some things
we might want to load on other pages as well besides the files app.
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2019-01-31 12:11:40 +07:00
ad676c0102
Set default frame-ancestors to 'self'
...
For #13042
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2019-01-08 15:36:40 +07:00
64244e1a4f
CSP: Allow fonts to be provided in data
...
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2019-01-07 15:07:06 +07:00
58345e02d2
Basic CSP no longer deprecated
...
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-11-08 10:37:48 +07:00
579822b6a5
Add report-uri to CSP
...
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-10-21 13:38:32 +07:00
5b61ef9213
Disallow unsafe-eval by default
...
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-10-14 20:45:34 +07:00
bcbffdb644
Add PHPDoc
...
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2018-10-02 22:35:31 +07:00
7d9052d4b9
fixup! Add fix response
...
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-10-02 08:17:27 +07:00
a891f42a5d
fixup! Add fix response
...
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-10-02 08:16:28 +07:00
a9fa220e68
Add fix response
...
implements #7589
2018-10-02 08:13:39 +07:00
8354c50911
Deprecate the childSrc functions
...
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-09-04 07:35:44 +07:00
c8fe4b4fc8
Add workerSrc to CSP
...
Fixes #11035
Since the child-src directive is deprecated (we should kill it at some
point) we need to have the proper worker-src available
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-09-04 07:35:44 +07:00
Christoph Wurst
Git'Fellow
Joas Schilling
MichaIng
Côme Chilliet
Daniel
blizzz
Julius Härtl
Vincent Petry
Carl Schwan
Robin Appelman
Daniel Rudolf
Pytal
Lukas Reschke
Morris Jobke
John Molakvoæ (skjnldsv)
Richard de Boer
Thomas Citharel
Roeland Jago Douma
Roeland Jago Douma
Clement Wong
Christoph Wurst
Pavel Krasikov
Daniel Calviño Sánchez
Jakob Sack