This way we use the CSP nonce for dynamically loaded scripts.
Important to notice: The CSP nonce must NOT be injected in `content` as
this can lead to value exfiltration using e.g. side-channel attacts (CSS selectors).
Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
Allow clients to access the new filename validation options
and make frontend name validation possible.
Co-authored-by: Ferdinand Thiessen <opensource@fthiessen.de>
Co-authored-by: Kate <26026535+provokateurin@users.noreply.github.com>
Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
SSO backends like SAML and OIDC tried a trick to suppress password
confirmations as they are not possible by design. At least for SAML it was
not reliable when existing user backends where used as user repositories.
Now we are setting a special scope with the token, and also make sure that
the scope is taken over when tokens are regenerated.
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
Add the filename restrictions to our JS config so we can create a common frontend library
function to check filename validity (de-duplicate code).
Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
The `OC::$SERVERROOT` is always returned without a trailing slash, so we need to add a slash between server root and apps directory.
Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
If apps are installed in non standard app paths, we need
to check `$app_path/$script` instead of only doing so for translations.
Without this it would fallback to `.js` extension even if a `.mjs` file exists.
Also tried make the code more selfe explaining.
Signed-off-by: Ferdinand Thiessen <rpm@fthiessen.de>
Enable module js (ES6) support on the `JSResourceLocator`.
This changes `JSResourceLocator` to look for `.mjs` files first
to allow applications to provide a fallback `.js` for older Nextcloud versions.
Signed-off-by: Ferdinand Thiessen <rpm@fthiessen.de>
This adds a new config variable `loglevel_frontend`,
allowing to configure the logging level of the
browser part as requested in nextcloud/nextcloud-logger#141
If not configured the `loglevel` is used as the fallback.
Signed-off-by: Ferdinand Thiessen <rpm@fthiessen.de>
This capability do DB access and as far I know is not used by the webui.
This remove one DB query for each page load.
Signed-off-by: Carl Schwan <carl@carlschwan.eu>
This was introduced in 309354852f
to fix a bug but I can't reproduce the bug after reverting this change.
Ideally we would need to create an interface in OCP and cleanup OC_Defaults
instead of depending on OC_Defaults.
Signed-off-by: Carl Schwan <carl@carlschwan.eu>
