nextcloud-raw/lib/Controller

<?php
namespace OCA\Raw\Controller;

use \Exception;

trait RawResponse {
	protected function returnRawResponse($fileNode) {
		if ($fileNode->getType() === 'dir') {
			// If the requested path is a folder, try return its index.html.
			try {
				$fileNode = $fileNode->get('index.html');
			} catch (NotFoundException $e) {
				return new NotFoundResponse();
			}
		}

		$content = $fileNode->getContent();
		$mimetype = $fileNode->getMimeType();

		// Ugly hack to have exact control over the response, to e.g. prevent security middleware
		// messing up the CSP. TODO find a neater solution than bluntly doing header() + echo + exit.
		header( // Add a super strict CSP: no connectivity allowed.
			"Content-Security-Policy: sandbox; default-src 'none'; img-src data:; media-src data:; "
			. "style-src data: 'unsafe-inline'; font-src data:; frame-src data:"
		);
		header("Content-Type: ${mimetype}");
		echo $content;
		exit;
	}
}