upstream/nextcloud
1
0
Fork 0
mirror of https://github.com/nextcloud/server.git synced 2026-04-21 06:08:46 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 14

fix: Use CSP_NONCE env variable in ContentSecurity Header

Browse source 
We should use 'cspNonceManager' for requesting the NONCE value, because it is doing the same as before, except that it honors a CPS_NONCE environment variable if available.

Signed-off-by: Holger Hees <holger.hees@gmail.com>
This commit is contained in:
Holger Hees 2024-02-14 13:32:21 +01:00 committed by Ferdinand Thiessen
parent 21db618174
commit 73397cd759
No known key found for this signature in database
GPG key ID: 45FAE7268762B400
1 changed files with 1 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
lib/private/AppFramework/Middleware/Security/CSPMiddleware.php
View file

@ -53,7 +53,7 @@ class CSPMiddleware extends Middleware {
$defaultPolicy = $this->contentSecurityPolicyManager->mergePolicies($defaultPolicy, $policy);
if ($this->cspNonceManager->browserSupportsCspV3()) {
$defaultPolicy->useJsNonce($this->csrfTokenManager->getToken()->getEncryptedValue());
$defaultPolicy->useJsNonce($this->cspNonceManager->getNonce());
}
$response->setContentSecurityPolicy($defaultPolicy);