Commit Graph

59 Commits

Author SHA1 Message Date
Roeland Jago Douma 4d8e1f6c67 CSP: set nonce for iframes
This for now uses the jsNonce. That way we can easily backport it.
For 17 I will fix it properly.

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2019-03-16 20:20:03 +01:00
Joas Schilling 3203d3e806 Allow apps to redirect to the default app
Signed-off-by: Joas Schilling <coding@schilljs.com>
2019-03-01 09:19:46 +01:00
Roeland Jago Douma b68567e9ba Add StandaloneTemplateResponse
This can be used by pages that do not have the full Nextcloud UI.
So notifications etc do not load there.

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2019-02-06 11:26:18 +01:00
Roeland Jago Douma d182037bce Emit to load additionalscripts
Fixes #13662

This will fire of an event after a Template Response has been returned.
There is an event for the generic loading and one when logged in. So
apps can chose to load only on loged in pages.

This is a more generic approach than the files app event. As some things
we might want to load on other pages as well besides the files app.

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2019-01-31 12:11:40 +01:00
Roeland Jago Douma ad676c0102 Set default frame-ancestors to 'self'
For #13042

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2019-01-08 15:36:40 +01:00
Roeland Jago Douma 64244e1a4f CSP: Allow fonts to be provided in data
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2019-01-07 15:07:06 +01:00
Roeland Jago Douma 58345e02d2 Basic CSP no longer deprecated
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-11-08 10:37:48 +01:00
Roeland Jago Douma 579822b6a5 Add report-uri to CSP
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-10-21 13:38:32 +02:00
Roeland Jago Douma 5b61ef9213 Disallow unsafe-eval by default
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-10-14 20:45:34 +02:00
Morris Jobke bcbffdb644 Add PHPDoc
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2018-10-02 22:35:31 +02:00
Roeland Jago Douma 7d9052d4b9 fixup! Add fix response
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-10-02 08:17:27 +02:00
Roeland Jago Douma a891f42a5d fixup! Add fix response
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-10-02 08:16:28 +02:00
Jakob Sack a9fa220e68 Add fix response
implements #7589
2018-10-02 08:13:39 +02:00
Roeland Jago Douma 8354c50911 Deprecate the childSrc functions
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-09-04 07:35:44 +02:00
Roeland Jago Douma c8fe4b4fc8 Add workerSrc to CSP
Fixes #11035

Since the child-src directive is deprecated (we should kill it at some
point) we need to have the proper worker-src available

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-09-04 07:35:44 +02:00
Roeland Jago Douma c21cee248c Disallow eval on the StrictEvalCSP
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-07-11 21:12:36 +02:00
Roeland Jago Douma b38fa573e1 Add stricter CSPs
* Deprecate our default CSP
* Add strict CSP that is always our strictest setting
* Add strict eval CSP (disable unsafe-eval)
* Add strict inline CSP (disables inline styles)

This is just to move forward and have a incremental improvement of our
CSP

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-06-13 14:47:57 +02:00
Roeland Jago Douma a34495933e Move caching logic to response
This avoids having to do it at all the places we want cached responses.

We can't inject the ITimeFactor without breaking public API.
However we can perfectly overwrite the service (resulting in the same
testable effect).

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-06-04 08:48:54 +02:00
Julius Härtl 6ded1c46b7 Add since tags
Signed-off-by: Julius Härtl <jus@bitgrid.net>
2018-04-05 13:18:17 +02:00
Julius Härtl 2e60f91ab1 Move external share saving to template
Signed-off-by: Julius Härtl <jus@bitgrid.net>
2018-04-05 13:11:55 +02:00
Julius Härtl 30e76f9f14 Add footer to public page template
Signed-off-by: Julius Härtl <jus@bitgrid.net>
2018-04-05 12:22:01 +02:00
Julius Härtl eb19899f8e Move common menu templates to public API
Signed-off-by: Julius Härtl <jus@bitgrid.net>
2018-04-05 11:09:19 +02:00
Julius Härtl 36563d4a4b Remove setters
Signed-off-by: Julius Härtl <jus@bitgrid.net>
2018-02-27 12:25:53 +01:00
Julius Härtl 9cf49873fa Rework array handling to avoid phan error
Signed-off-by: Julius Härtl <jus@bitgrid.net>
2018-02-27 12:25:53 +01:00
Julius Härtl 2b6c00fc0f Add id to list element
Signed-off-by: Julius Härtl <jus@bitgrid.net>
2018-02-27 12:25:53 +01:00
Julius Härtl 7cd0340366 Sort menu by priority
Signed-off-by: Julius Härtl <jus@bitgrid.net>
2018-02-27 12:25:53 +01:00
Julius Härtl 038aad73c7 Add missing phpdoc for public API
Signed-off-by: Julius Härtl <jus@bitgrid.net>
2018-02-27 12:25:53 +01:00
Julius Härtl 4f83462f67 Add phpdoc, typehints and sanitize HTML
Signed-off-by: Julius Härtl <jus@bitgrid.net>
2018-02-27 12:25:52 +01:00
Julius Härtl 4f78980fad Add menu item abstraction
Signed-off-by: Julius Härtl <jus@bitgrid.net>
2018-02-27 12:25:52 +01:00
Julius Härtl 0655df09d6 Pass template parameters to parent template
Signed-off-by: Julius Härtl <jus@bitgrid.net>
2018-02-27 12:25:52 +01:00
Roeland Jago Douma 5825c27a12 Make sure that render always returns a string
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-02-21 13:28:40 +01:00
Morris Jobke 31c5c2a592 Change @georgehrke's email
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2017-11-06 20:38:59 +01:00
Morris Jobke 0eebff152a Update license headers
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2017-11-06 16:56:19 +01:00
Julius Härtl 4cfa1c66b8 Doc: Fix phpDoc issues
Signed-off-by: Julius Härtl <jus@bitgrid.net>
2017-10-23 23:23:56 +02:00
Roeland Jago Douma 87e10f9e6a OC_OCS_Response is deprecated
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2017-09-21 17:56:00 +02:00
Thomas Citharel eb51c46549 fix typo and set @since properly
Signed-off-by: Thomas Citharel <tcit@tcit.fr>
2017-09-15 15:23:10 +02:00
Thomas Citharel ecf347bd1a Add CSP frame-ancestors support
Didn't set the @since annotation yet.

Signed-off-by: Thomas Citharel <tcit@tcit.fr>
2017-09-15 15:23:10 +02:00
Morris Jobke 84c22fdeef Merge pull request #5907 from nextcloud/add-metadata-to-throttle-call
Add metadata to \OCP\AppFramework\Http\Response::throttle
2017-08-01 14:43:47 +02:00
Lukas Reschke dfd8125aeb Replace wrong PHPDocs
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2017-08-01 08:20:16 +02:00
Lukas Reschke f22ab3e665 Add metadata to \OCP\AppFramework\Http\Response::throttle
Fixes https://github.com/nextcloud/server/issues/5891

Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2017-07-27 14:17:45 +02:00
Roeland Jago Douma 361d2badd8 Some phpstorm inspection fixes
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2017-07-22 21:10:16 +02:00
Morris Jobke c54a59d51e Remove unused use statements
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2017-04-22 19:23:31 -05:00
Lukas Reschke 8149945a91 Make BruteForceProtection annotation more clever
This makes the new `@BruteForceProtection` annotation more clever and moves the relevant code into it's own middleware.

Basically you can now set `@BruteForceProtection(action=$key)` as annotation and that will make the controller bruteforce protected. However, the difference to before is that you need to call `$responmse->throttle()` to increase the counter. Before the counter was increased every time which leads to all kind of unexpected problems.

Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2017-04-13 23:05:33 +02:00
Pierre Rudloff 19d3133ccf Web app manifest
Signed-off-by: Jan-Christoph Borchardt <hey@jancborchardt.net>
2017-03-28 18:39:57 -06:00
Lukas Reschke adfd1e63f6 Add base-uri to CSP policy
As per https://twitter.com/we1x/status/842032709543333890 a nice security hardening

Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2017-03-16 15:16:20 +01:00
Christoph Wurst fe6416072d set 'no-store' cache header if we do not want FF to cache
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2017-01-09 21:29:59 +01:00
Robin Appelman 72a54ff9de prevent warning in StreamResponse
Signed-off-by: Robin Appelman <robin@icewind.nl>
2016-11-29 15:29:02 +01:00
Robin Appelman 4235b18a88 allow passing a stream to StreamResponse
Signed-off-by: Robin Appelman <robin@icewind.nl>
2016-11-16 15:30:36 +01:00
Roeland Jago Douma f07d75a4dd @since 9.2.0 to @since 11.0.0
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2016-11-15 18:51:52 +01:00
Lukas Reschke 9e6634814e Add support for CSP nonces
CSP nonces are a feature available with CSP v2. Basically instead of saying "JS resources from the same domain are ok to be served" we now say "Ressources from everywhere are allowed as long as they add a `nonce` attribute to the script tag with the right nonce.

At the moment the nonce is basically just a `<?php p(base64_encode($_['requesttoken'])) ?>`, we have to decode the requesttoken since `:` is not an allowed value in the nonce. So if somebody does on their own include JS files (instead of using the `addScript` public API, they now must also include that attribute.)

IE does currently not implement CSP v2, thus there is a whitelist included that delivers the new CSP v2 policy to newer browsers. Check http://caniuse.com/#feat=contentsecuritypolicy2 for the current browser support list. An alternative approach would be to just add `'unsafe-inline'` as well as `'unsafe-inline'` is ignored by CSPv2 when a nonce is set. But this would make this security feature unusable at all in IE. Not worth it at the moment IMO.

Implementing this offers the following advantages:

1. **Security:** As we host resources from the same domain by design we don't have to worry about 'self' anymore being in the whitelist
2. **Performance:** We can move oc.js again to inline JS. This makes the loading way quicker as we don't have to load on every load of a new web page a blocking dynamically non-cached JavaScript file.

If you want to toy with CSP see also https://csp-evaluator.withgoogle.com/

Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2016-10-24 12:27:50 +02:00