Move security headers from Caddyfiles to PHP middleware

- Add SecurityHeadersMiddleware that sets Content-Security-Policy, X-Content-Type-Options, X-Frame-Options, X-Permitted-Cross-Domain-Policies, X-DNS-Prefetch-Control, Referrer-Policy, and X-Robots-Tag on all responses - Register SecurityHeadersMiddleware in index.php - Add click-handlers.js for CSP-compliant event handling (data-confirm, data-stop-event-propagation) - Update toggle-dark-mode.js to attach click handler via addEventListener - Remove inline onclick from theme toggle button in layout.twig - Replace all inline onclick with data-confirm in containers.twig, community-containers.twig, and optional-containers.twig Co-authored-by: szaimen <42591237+szaimen@users.noreply.github.com> Agent-Logs-Url: https://github.com/nextcloud/all-in-one/sessions/d87889ba-d2ad-4d76-b257-2afd725dac28
2026-06-03 01:10:08 +00:00 · 2026-03-25 11:39:40 +00:00
parent c777cbaf45
commit 3d322e2fe2
8 changed files with 59 additions and 14 deletions
--- a/php/templates/includes/community-containers.twig
+++ b/php/templates/includes/community-containers.twig
@@ -37,6 +37,6 @@
            </p>
        {% endfor %}

-        <input id="community-form-submit" type="submit" value="Save changes" onclick="return confirm('Are you sure that you read the documentation of all community containers that you enabled? If no, please do not continue as this might break your instance!')" />
+        <input id="community-form-submit" type="submit" value="Save changes" data-confirm='Are you sure that you read the documentation of all community containers that you enabled? If no, please do not continue as this might break your instance!' />
    </form>
 </details>
--- a/php/templates/includes/optional-containers.twig
+++ b/php/templates/includes/optional-containers.twig
@@ -41,7 +41,7 @@
                <li>Best support for legacy files</li>
            </ul>
            {% if isAnyRunning == false %}
-                <a href="https://www.collaboraoffice.com/code/" target="_blank" class="office-learn-more" onclick="event.stopPropagation();">
+                <a href="https://www.collaboraoffice.com/code/" target="_blank" class="office-learn-more" data-stop-event-propagation="true">
                    Learn more
                    <svg width="16" height="16" viewBox="0 0 16 16" fill="none" xmlns="http://www.w3.org/2000/svg" style="vertical-align: middle; margin-left: 4px;">
                        <path d="M6 12L10 8L6 4" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"/>
@@ -76,7 +76,7 @@
                <li>Limited ODF compatibility</li>
            </ul>
            {% if isAnyRunning == false %}
-                <a href="https://www.onlyoffice.com/" target="_blank" class="office-learn-more" onclick="event.stopPropagation();">
+                <a href="https://www.onlyoffice.com/" target="_blank" class="office-learn-more" data-stop-event-propagation="true">
                    Learn more
                    <svg width="16" height="16" viewBox="0 0 16 16" fill="none" xmlns="http://www.w3.org/2000/svg" style="vertical-align: middle; margin-left: 4px;">
                        <path d="M6 12L10 8L6 4" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"/>