nextcloud · come-nc · Sep 29, 2025 · Sep 28, 2025
@@ -579,6 +579,41 @@ private static function performSameSiteCookieProtection(IConfig $config): void {
 		}
 	}
 
+	/**
+	 * This function adds some security related headers to all requests served via base.php
+	 * The implementation of this function has to happen here to ensure that all third-party
+	 * components (e.g. SabreDAV) also benefit from this headers.
+	 */
+	private static function addSecurityHeaders(): void {
+		/**
+		 * FIXME: Content Security Policy for legacy components. This
+		 * can be removed once \OCP\AppFramework\Http\Response from the AppFramework
+		 * is used everywhere.
+		 * @see \OCP\AppFramework\Http\Response::getHeaders
+		 */
+		$policy = 'default-src \'self\'; '
+			. 'script-src \'self\' \'nonce-' . \OC::$server->getContentSecurityPolicyNonceManager()->getNonce() . '\'; '
+			. 'style-src \'self\' \'unsafe-inline\'; '
+			. 'frame-src *; '
+			. 'img-src * data: blob:; '
+			. 'font-src \'self\' data:; '
+			. 'media-src *; '
+			. 'connect-src *; '
+			. 'object-src \'none\'; '
+			. 'base-uri \'self\'; ';
+		header('Content-Security-Policy:' . $policy);
+
+		// Send fallback headers for installations that don't have the possibility to send
+		// custom headers on the webserver side
+		if (getenv('modHeadersAvailable') !== 'true') {
+			header('Referrer-Policy: no-referrer'); // https://www.w3.org/TR/referrer-policy/
+			header('X-Content-Type-Options: nosniff'); // Disable sniffing the content type for IE
+			header('X-Frame-Options: SAMEORIGIN'); // Disallow iFraming from other domains
+			header('X-Permitted-Cross-Domain-Policies: none'); // https://www.adobe.com/devnet/adobe-media-server/articles/cross-domain-xml-for-streaming.html
+			header('X-Robots-Tag: noindex, nofollow'); // https://developers.google.com/webmasters/control-crawl-index/docs/robots_meta_tag
+		}
+	}
+
 	public static function init(): void {
 		// First handle PHP configuration and copy auth headers to the expected
 		// $_SERVER variable before doing anything Server object related
@@ -702,7 +737,7 @@ public static function init(): void {
 		self::checkConfig();
 		self::checkInstalled($systemConfig);
 
-		OC_Response::addSecurityHeaders();
+		self::addSecurityHeaders();
 
 		self::performSameSiteCookieProtection($config);
 

@@ -2179,7 +2179,6 @@
     'OC_Helper' => $baseDir . '/lib/private/legacy/OC_Helper.php',
     'OC_Hook' => $baseDir . '/lib/private/legacy/OC_Hook.php',
     'OC_JSON' => $baseDir . '/lib/private/legacy/OC_JSON.php',
-    'OC_Response' => $baseDir . '/lib/private/legacy/OC_Response.php',
     'OC_Template' => $baseDir . '/lib/private/legacy/OC_Template.php',
     'OC_User' => $baseDir . '/lib/private/legacy/OC_User.php',
     'OC_Util' => $baseDir . '/lib/private/legacy/OC_Util.php',

@@ -2220,7 +2220,6 @@ class ComposerStaticInit749170dad3f5e7f9ca158f5a9f04f6a2
         'OC_Helper' => __DIR__ . '/../../..' . '/lib/private/legacy/OC_Helper.php',
         'OC_Hook' => __DIR__ . '/../../..' . '/lib/private/legacy/OC_Hook.php',
         'OC_JSON' => __DIR__ . '/../../..' . '/lib/private/legacy/OC_JSON.php',
-        'OC_Response' => __DIR__ . '/../../..' . '/lib/private/legacy/OC_Response.php',
         'OC_Template' => __DIR__ . '/../../..' . '/lib/private/legacy/OC_Template.php',
         'OC_User' => __DIR__ . '/../../..' . '/lib/private/legacy/OC_User.php',
         'OC_Util' => __DIR__ . '/../../..' . '/lib/private/legacy/OC_Util.php',