fix: Make sure CSP nonce is not double base64 encoded

Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>

lib/private/Security/CSP/ContentSecurityPolicyNonceManager.php

@@ -30,7 +30,10 @@ class ContentSecurityPolicyNonceManager {
 	public function getNonce(): string {
 		if ($this->nonce === '') {
 			if (empty($this->request->server['CSP_NONCE'])) {
-				$this->nonce = base64_encode($this->csrfTokenManager->getToken()->getEncryptedValue());
+				// Get the token from the CSRF token, we only use the "shared secret" part
+				// as the first part does not add any security / entropy to the token
+				// so it can be ignored to keep the nonce short while keeping the same randomness
+				$this->nonce = end(explode(':', ($this->csrfTokenManager->getToken()->getEncryptedValue())));
 			} else {
 				$this->nonce = $this->request->server['CSP_NONCE'];
 			}

lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php

@@ -89,7 +89,7 @@ class EmptyContentSecurityPolicy {
 	}
 
 	/**
-	 * Use the according JS nonce
+	 * Use the according base64 encoded JS nonce
 	 * This method is only for CSPMiddleware, custom values are ignored in mergePolicies of ContentSecurityPolicyManager
 	 *
 	 * @param string $nonce
@@ -448,7 +448,7 @@ class EmptyContentSecurityPolicy {
 				if ($this->strictDynamicAllowed) {
 					$scriptSrc .= '\'strict-dynamic\' ';
 				}
-				$scriptSrc .= '\'nonce-'.base64_encode($this->jsNonce).'\'';
+				$scriptSrc .= '\'nonce-'.$this->jsNonce.'\'';
 				$allowedScriptDomains = array_flip($this->allowedScriptDomains);
 				unset($allowedScriptDomains['\'self\'']);
 				$this->allowedScriptDomains = array_flip($allowedScriptDomains);