\OCP\AppFramework\HttpContentSecurityPolicy

Class ContentSecurityPolicy is a simple helper which allows applications to modify the Content-Security-Policy sent by ownCloud. Per default only JavaScript, stylesheets, images, fonts, media and connections from the same domain ('self') are allowed.

Even if a value gets modified above defaults will still get appended. Please notice that ownCloud ships already with sensible defaults and those policies should require no modification at all for most use-cases.

Summary

Methods
Properties
Constants
allowInlineScript()
allowEvalScript()
addAllowedScriptDomain()
disallowScriptDomain()
allowInlineStyle()
addAllowedStyleDomain()
disallowStyleDomain()
addAllowedFontDomain()
disallowFontDomain()
addAllowedImageDomain()
disallowImageDomain()
addAllowedConnectDomain()
disallowConnectDomain()
addAllowedMediaDomain()
disallowMediaDomain()
addAllowedObjectDomain()
disallowObjectDomain()
addAllowedFrameDomain()
disallowFrameDomain()
addAllowedChildSrcDomain()
disallowChildSrcDomain()
buildPolicy()
No public properties found
No constants found
No protected methods found
$inlineScriptAllowed
$evalScriptAllowed
$allowedScriptDomains
$inlineStyleAllowed
$allowedStyleDomains
$allowedImageDomains
$allowedConnectDomains
$allowedMediaDomains
$allowedObjectDomains
$allowedFrameDomains
$allowedFontDomains
$allowedChildSrcDomains
N/A
No private methods found
No private properties found
N/A

Properties

$inlineScriptAllowed

$inlineScriptAllowed : boolean

Type

boolean — Whether inline JS snippets are allowed

$evalScriptAllowed

$evalScriptAllowed : boolean

Type

boolean — Whether eval in JS scripts is allowed TODO: Disallow per default

$allowedScriptDomains

$allowedScriptDomains : array

Type

array — Domains from which scripts can get loaded

$inlineStyleAllowed

$inlineStyleAllowed : boolean

Type

boolean — Whether inline CSS is allowed TODO: Disallow per default

$allowedStyleDomains

$allowedStyleDomains : array

Type

array — Domains from which CSS can get loaded

$allowedImageDomains

$allowedImageDomains : array

Type

array — Domains from which images can get loaded

$allowedConnectDomains

$allowedConnectDomains : array

Type

array — Domains to which connections can be done

$allowedMediaDomains

$allowedMediaDomains : array

Type

array — Domains from which media elements can be loaded

$allowedObjectDomains

$allowedObjectDomains : array

Type

array — Domains from which object elements can be loaded

$allowedFrameDomains

$allowedFrameDomains : array

Type

array — Domains from which iframes can be loaded

$allowedFontDomains

$allowedFontDomains : array

Type

array — Domains from which fonts can be loaded

$allowedChildSrcDomains

$allowedChildSrcDomains : array

Type

array — Domains from which web-workers and nested browsing content can load elements

Methods

allowInlineScript()

allowInlineScript(boolean  $state = false) : $this

Whether inline JavaScript snippets are allowed or forbidden

Parameters

boolean $state

Returns

$this

allowEvalScript()

allowEvalScript(boolean  $state = true) : $this

Whether eval in JavaScript is allowed or forbidden

Parameters

boolean $state

Returns

$this

addAllowedScriptDomain()

addAllowedScriptDomain(string  $domain) : $this

Allows to execute JavaScript files from a specific domain. Use * to allow JavaScript from all domains.

Parameters

string $domain

Domain to whitelist. Any passed value needs to be properly sanitized.

Returns

$this

disallowScriptDomain()

disallowScriptDomain(string  $domain) : $this

Remove the specified allowed script domain from the allowed domains.

Parameters

string $domain

Returns

$this

allowInlineStyle()

allowInlineStyle(boolean  $state = true) : $this

Whether inline CSS snippets are allowed or forbidden

Parameters

boolean $state

Returns

$this

addAllowedStyleDomain()

addAllowedStyleDomain(string  $domain) : $this

Allows to execute CSS files from a specific domain. Use * to allow CSS from all domains.

Parameters

string $domain

Domain to whitelist. Any passed value needs to be properly sanitized.

Returns

$this

disallowStyleDomain()

disallowStyleDomain(string  $domain) : $this

Remove the specified allowed style domain from the allowed domains.

Parameters

string $domain

Returns

$this

addAllowedFontDomain()

addAllowedFontDomain(string  $domain) : $this

Allows using fonts from a specific domain. Use * to allow fonts from all domains.

Parameters

string $domain

Domain to whitelist. Any passed value needs to be properly sanitized.

Returns

$this

disallowFontDomain()

disallowFontDomain(string  $domain) : $this

Remove the specified allowed font domain from the allowed domains.

Parameters

string $domain

Returns

$this

addAllowedImageDomain()

addAllowedImageDomain(string  $domain) : $this

Allows embedding images from a specific domain. Use * to allow images from all domains.

Parameters

string $domain

Domain to whitelist. Any passed value needs to be properly sanitized.

Returns

$this

disallowImageDomain()

disallowImageDomain(string  $domain) : $this

Remove the specified allowed image domain from the allowed domains.

Parameters

string $domain

Returns

$this

addAllowedConnectDomain()

addAllowedConnectDomain(string  $domain) : $this

To which remote domains the JS connect to.

Parameters

string $domain

Domain to whitelist. Any passed value needs to be properly sanitized.

Returns

$this

disallowConnectDomain()

disallowConnectDomain(string  $domain) : $this

Remove the specified allowed connect domain from the allowed domains.

Parameters

string $domain

Returns

$this

addAllowedMediaDomain()

addAllowedMediaDomain(string  $domain) : $this

From which domains media elements can be embedded.

Parameters

string $domain

Domain to whitelist. Any passed value needs to be properly sanitized.

Returns

$this

disallowMediaDomain()

disallowMediaDomain(string  $domain) : $this

Remove the specified allowed media domain from the allowed domains.

Parameters

string $domain

Returns

$this

addAllowedObjectDomain()

addAllowedObjectDomain(string  $domain) : $this

From which domains objects such as <object>, <embed> or <applet> are executed

Parameters

string $domain

Domain to whitelist. Any passed value needs to be properly sanitized.

Returns

$this

disallowObjectDomain()

disallowObjectDomain(string  $domain) : $this

Remove the specified allowed object domain from the allowed domains.

Parameters

string $domain

Returns

$this

addAllowedFrameDomain()

addAllowedFrameDomain(string  $domain) : $this

Which domains can be embedded in an iframe

Parameters

string $domain

Domain to whitelist. Any passed value needs to be properly sanitized.

Returns

$this

disallowFrameDomain()

disallowFrameDomain(string  $domain) : $this

Remove the specified allowed frame domain from the allowed domains.

Parameters

string $domain

Returns

$this

addAllowedChildSrcDomain()

addAllowedChildSrcDomain(string  $domain) : $this

Domains from which web-workers and nested browsing content can load elements

Parameters

string $domain

Domain to whitelist. Any passed value needs to be properly sanitized.

Returns

$this

disallowChildSrcDomain()

disallowChildSrcDomain(string  $domain) : $this

Remove the specified allowed child src domain from the allowed domains.

Parameters

string $domain

Returns

$this

buildPolicy()

buildPolicy() : string

Get the generated Content-Security-Policy as a string

Returns

string