daenamnu/nextcloud
1
0
Fork 0
mirror of https://github.com/nextcloud/all-in-one.git synced 2026-06-02 00:40:07 +00:00
Code Issues Packages Projects Releases Wiki Activity

Move security headers from Caddyfiles to PHP middleware

Browse Source 
- Add SecurityHeadersMiddleware that sets Content-Security-Policy,
  X-Content-Type-Options, X-Frame-Options, X-Permitted-Cross-Domain-Policies,
  X-DNS-Prefetch-Control, Referrer-Policy, and X-Robots-Tag on all responses
- Register SecurityHeadersMiddleware in index.php
- Add click-handlers.js for CSP-compliant event handling (data-confirm,
  data-stop-event-propagation)
- Update toggle-dark-mode.js to attach click handler via addEventListener
- Remove inline onclick from theme toggle button in layout.twig
- Replace all inline onclick with data-confirm in containers.twig,
  community-containers.twig, and optional-containers.twig

Co-authored-by: szaimen <42591237+szaimen@users.noreply.github.com>
Agent-Logs-Url: https://github.com/nextcloud/all-in-one/sessions/d87889ba-d2ad-4d76-b257-2afd725dac28
This commit is contained in:
copilot-swe-agent[bot]
2026-03-25 11:39:40 +00:00
parent c777cbaf45
commit 3d322e2fe2
8 changed files with 59 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
php/public/click-handlers.js Normal file
View File

@@ -0,0 +1,15 @@
document.addEventListener("DOMContentLoaded", () => {
document.querySelectorAll('input[data-confirm]').forEach((element) => {
element.addEventListener('click', (event) => {
if (!confirm(element.dataset.confirm)) {
event.preventDefault();
}
});
});
document.querySelectorAll('[data-stop-event-propagation="true"]').forEach((element) => {
element.addEventListener('click', (event) => {
event.stopPropagation();
});
});
});

3
php/public/index.php
View File

@@ -55,6 +55,9 @@ $twig->addExtension(new \AIO\Twig\CsrfExtension($container->get(Guard::class)));
// Auth Middleware
$app->add(new \AIO\Middleware\AuthMiddleware($container->get(\AIO\Auth\AuthManager::class)));
// Security Headers Middleware
$app->add(new \AIO\Middleware\SecurityHeadersMiddleware());
// API
$app->post('/api/docker/watchtower', AIO\Controller\DockerController::class . ':StartWatchtowerContainer');
$app->get('/api/docker/getwatchtower', AIO\Controller\DockerController::class . ':StartWatchtowerContainer');

5
php/public/toggle-dark-mode.js
View File

@@ -32,4 +32,7 @@ function setThemeIcon(theme) {
setThemeToDOM(getSavedTheme());
// Apply theme when the page loads
document.addEventListener('DOMContentLoaded', () => setThemeIcon(getSavedTheme()));
document.addEventListener('DOMContentLoaded', () => {
setThemeIcon(getSavedTheme())
document.querySelector('button#theme-toggle')?.addEventListener('click', toggleTheme);
});