diff --git a/lib/private/Security/CSP/ContentSecurityPolicyNonceManager.php b/lib/private/Security/CSP/ContentSecurityPolicyNonceManager.php index 0f637e5afd6..2046c240291 100644 --- a/lib/private/Security/CSP/ContentSecurityPolicyNonceManager.php +++ b/lib/private/Security/CSP/ContentSecurityPolicyNonceManager.php @@ -30,7 +30,10 @@ class ContentSecurityPolicyNonceManager { public function getNonce(): string { if ($this->nonce === '') { if (empty($this->request->server['CSP_NONCE'])) { - $this->nonce = base64_encode($this->csrfTokenManager->getToken()->getEncryptedValue()); + // Get the token from the CSRF token, we only use the "shared secret" part + // as the first part does not add any security / entropy to the token + // so it can be ignored to keep the nonce short while keeping the same randomness + $this->nonce = end(explode(':', ($this->csrfTokenManager->getToken()->getEncryptedValue()))); } else { $this->nonce = $this->request->server['CSP_NONCE']; } diff --git a/lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php b/lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php index 5b4cf7eab8b..7772f2f3f3c 100644 --- a/lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php +++ b/lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php @@ -89,7 +89,7 @@ class EmptyContentSecurityPolicy { } /** - * Use the according JS nonce + * Use the according base64 encoded JS nonce * This method is only for CSPMiddleware, custom values are ignored in mergePolicies of ContentSecurityPolicyManager * * @param string $nonce @@ -448,7 +448,7 @@ class EmptyContentSecurityPolicy { if ($this->strictDynamicAllowed) { $scriptSrc .= '\'strict-dynamic\' '; } - $scriptSrc .= '\'nonce-'.base64_encode($this->jsNonce).'\''; + $scriptSrc .= '\'nonce-'.$this->jsNonce.'\''; $allowedScriptDomains = array_flip($this->allowedScriptDomains); unset($allowedScriptDomains['\'self\'']); $this->allowedScriptDomains = array_flip($allowedScriptDomains);