Comments (2)
This is a bug indeed which also breaks our plugin. It's a bit difficult to make that decision in the merge functionality. You're confronted with two values, and for some (e.g. inlineStyleAllowed
) the truthy value makes the CSP less strict while for others (e.g. this one: strictDynamicAllowedOnScripts
) it makes the CSP stricter. I would argue the merge function needs to respect the least strict CSP that was given.
One potential way of fixing would be to invert the behavior of the variables, so that truthy always means "less strict". In this case, I'd rename the variable to something like strictDynamicAllowedOnScripts
to strictDynamicDisabledOnScripts
which actually disables setting strict-dynamic
on script-elem
(by default, it would be added then). In the default CSP template you would then get:
protected $strictDynamicDisabledOnScripts = false;
protected $strictDynamicDisabled = true;
The merge function could then stay the same. Still not ideal though, as it would still not allow a plugin to actually enforce strict-dynamic
unless enabled in the default template. However, it makes the behavior a bit more in line with the behavior on different properties.
from server.
When a CSP rule has a strict default set by the framework (like strict-dynamic
), the only meaningful modification would be to disable it. This may have a negative impact on site security, but apps will keep working.
On the other hand, allowing an app to enforce a strict rule when another app has already disabled it will break that app. This is also unnecessary because the strict rule is already in effect by default.
This means that a boolean parameter makes no sense if a strict default is provided, and that the only meaningful use for useStrictDynamicOnScripts(bool)
currently does not work. Instead, there should be a disableStrictDynamicOnScripts()
method that does not take any arguments and disables the rule once and for all. Apps that require a loosened CSP will keep working, and other apps don't have to care.
Other rules are affected as well, and it's not only on/off rules that cannot be overridden. useJsNonce(string | null)
also has no effect.
from server.
Related Issues (20)
- [Bug]: Impossible to open a docx file in onlyoffice module from nextcloud HOT 3
- [Bug]: Missing index for systemtag_object_mapping.objectid
- Option to disable the deletion of files within a subtree if the the folder is protected from deletion HOT 3
- [Bug]: Disproportionate 'Log in with a device' button when count of alternative logins is not null
- Files app: shared drive HOT 4
- Some recent Korean translations on Transifex are not being reflected anymore. HOT 1
- Hide files and folders without permissions HOT 1
- CalDavBackend.search does not handle VTODO's properly HOT 1
- [Bug]: Images are only downloadable, not opening as preview HOT 1
- [Bug]: using proxy, wrong cloud port used when trying to enable / disable an app HOT 6
- [Bug]: Share links to folders with a dash ("-") in custom link part broken in NC 29 HOT 2
- Default share expiration cannot be removed when creating a share HOT 2
- [Bug]: Error: activity InvalidObjectExeption Parameter is undefined
- [Bug]: Nextcloud 29 - Trying to download folder opens empty tab HOT 1
- Creating a share link with enforced password does not refresh the sidebar HOT 2
- allow explicit TLS access for external ftp storage HOT 1
- [Bug]: Custom email templates don't work in custom app. HOT 3
- [Bug]: Copy icon disappears on newly created share when internal share is created
- [Bug]: Validation error in iCalendar: TRIGGER MUST appear exactly once in a VALARM component
- Allow web browsers to cache publicly shared files
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from server.