fix(dev): Add useStrictDynamicOnScripts to `OCP\AppFramework\Http\E…

…mptyContentSecurityPolicy` Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
nextcloud · Nov 17, 2023 · a32ee9d · a32ee9d
1 parent 91bde0d
commit a32ee9d
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 1 deletion.
diff --git a/developer_manual/app_publishing_maintenance/app_upgrade_guide/upgrade_to_28.rst b/developer_manual/app_publishing_maintenance/app_upgrade_guide/upgrade_to_28.rst
@@ -131,6 +131,7 @@ The details of this change can also be seen in the todo items that are linked fr
 Added APIs
 ^^^^^^^^^^
 
+* ``\OCP\AppFramework\Http\EmptyContentSecurityPolicy::useStrictDynamicOnScripts`` to set 'strict-dynamic' on the 'script-src-elem' CSP, this is set by default to true to allow apps using module JS to import dependencies.
 * ``\OCP\Mail\IMessage::setSubject`` to set an email subject. See :ref:`email` for an example.
 * ``\OCP\Mail\IMessage::setHtmlBody`` and ``\OCP\Mail\IMessage::setPlainBody`` to set an email body See :ref:`email` for an example.
 * ``\OCP\IEventSourceFactory`` to create a ``OCP\IEventSource`` instance.

diff --git a/developer_manual/basics/controllers.rst b/developer_manual/basics/controllers.rst
@@ -669,7 +669,8 @@ If you want to use a custom, lazily rendered response simply implement the inter
 Modifying the content security policy
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
-By default Nextcloud disables all resources which are not served on the same domain, forbids cross domain requests and disables inline CSS and JavaScript by setting a `Content Security Policy <https://developer.mozilla.org/en-US/docs/Web/Security/CSP/Introducing_Content_Security_Policy>`_. However if an app relies on third-party media or other features which are forbidden by the current policy the policy can be relaxed.
+By default Nextcloud disables all resources which are not served on the same domain, forbids cross domain requests and disables inline CSS and JavaScript by setting a `Content Security Policy <https://developer.mozilla.org/en-US/docs/Web/Security/CSP/Introducing_Content_Security_Policy>`_.
+However if an app relies on third-party media or other features which are forbidden by the current policy the policy can be relaxed.
 
 .. note:: Double check your content and edge cases before you relax the policy! Also read the `documentation provided by MDN <https://developer.mozilla.org/en-US/docs/Web/Security/CSP/Introducing_Content_Security_Policy>`_
 
@@ -680,6 +681,15 @@ The following methods turn off security features by passing in **true** as the *
 * **allowInlineScript** (bool $isAllowed)
 * **allowInlineStyle** (bool $isAllowed)
 * **allowEvalScript** (bool $isAllowed)
+* **useStrictDynamic** (bool $isAllowed)
+
+  Trust all scripts that are loaded by a trusted script, see 'script-src' and 'strict-dynamic'
+
+* **useStrictDynamicOnScripts** (bool $isAllowed)
+
+  Trust all scripts that are loaded by a trusted script which was loaded using a ``<script>`` tag, see 'script-src-elem' **(enabled by default)**
+
+.. note:: ``useStrictDynamicOnScripts`` is enabled by default to allow module javascript to load its dependencies using ``import`` since Nextcloud 28. You can disable this by passing **false** as the parameter.
 
 The following methods whitelist domains by passing in a domain or \* for any domain: