upstream/nextcloud
1
0
Fork 0
mirror of https://github.com/nextcloud/server.git synced 2026-04-14 05:27:46 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 11
nextcloud/core/templates/layout.guest.php
Ferdinand Thiessen 2916e5df7e
feat: Provide CSP nonce as <meta> element 
This way we use the CSP nonce for dynamically loaded scripts.
Important to notice: The CSP nonce must NOT be injected in `content` as
this can lead to value exfiltration using e.g. side-channel attacts (CSS selectors).

Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
2024-08-13 10:32:44 +02:00

67 lines
2.5 KiB
PHP
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<?php
/**
* SPDX-FileCopyrightText: 2016-2024 Nextcloud GmbH and Nextcloud contributors
* SPDX-FileCopyrightText: 2011-2016 ownCloud, Inc.
* SPDX-License-Identifier: AGPL-3.0-only
*/
?>
<!DOCTYPE html>
<html class="ng-csp" data-placeholder-focus="false" lang="<?php p($_['language']); ?>" data-locale="<?php p($_['locale']); ?>" translate="no" >
<head
<?php if ($_['user_uid']) { ?>
data-user="<?php p($_['user_uid']); ?>" data-user-displayname="<?php p($_['user_displayname']); ?>"
<?php } ?>
data-requesttoken="<?php p($_['requesttoken']); ?>">
<meta charset="utf-8">
<title>
<?php
p(!empty($_['pageTitle']) ? $_['pageTitle'] . ' ' : '');
p($theme->getTitle());
?>
</title>
<meta name="csp-nonce" nonce="<?php p($_['cspNonce']); /* Do not pass into "content" to prevent exfiltration */ ?>">
<meta name="viewport" content="width=device-width, initial-scale=1.0, minimum-scale=1.0">
<?php if ($theme->getiTunesAppId() !== '') { ?>
<meta name="apple-itunes-app" content="app-id=<?php p($theme->getiTunesAppId()); ?>">
<?php } ?>
<meta name="theme-color" content="<?php p($theme->getColorPrimary()); ?>">
<link rel="icon" href="<?php print_unescaped(image_path('core', 'favicon.ico')); /* IE11+ supports png */ ?>">
<link rel="apple-touch-icon" href="<?php print_unescaped(image_path('core', 'favicon-touch.png')); ?>">
<link rel="mask-icon" sizes="any" href="<?php print_unescaped(image_path('core', 'favicon-mask.svg')); ?>" color="<?php p($theme->getColorPrimary()); ?>">
<link rel="manifest" href="<?php print_unescaped(image_path('core', 'manifest.json')); ?>" crossorigin="use-credentials">
<?php emit_css_loading_tags($_); ?>
<?php emit_script_loading_tags($_); ?>
<?php print_unescaped($_['headers']); ?>
</head>
<body id="<?php p($_['bodyid']);?>">
<?php include 'layout.noscript.warning.php'; ?>
<?php include 'layout.initial-state.php'; ?>
<div class="wrapper">
<div class="v-align">
<?php if ($_['bodyid'] === 'body-login'): ?>
<header>
<div id="header">
<div class="logo"></div>
</div>
</header>
<?php endif; ?>
<main>
<h1 class="hidden-visually">
<?php p($theme->getName()); ?>
</h1>
<?php print_unescaped($_['content']); ?>
</main>
</div>
</div>
<?php
$longFooter = $theme->getLongFooter();
?>
<footer class="guest-box <?php if ($longFooter === '') {
p('hidden');
} ?>">
<p class="info">
<?php print_unescaped($longFooter); ?>
</p>
</footer>
</body>
</html>
Reference in a new issue View git blame Copy permalink