upstream/nextcloud
1
0
Fork 0
mirror of https://github.com/nextcloud/server.git synced 2026-06-08 00:02:54 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 33

fix: Allow nonce in csp header also if no other reasons are given

Browse source 
Signed-off-by: Julius Härtl <jus@bitgrid.net>
This commit is contained in:
Julius Härtl 2024-02-23 10:53:12 +01:00
parent 3103a85c18
commit 8df5864db7
1 changed files with 3 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php
View file

@ -37,8 +37,8 @@ namespace OCP\AppFramework\Http;
* @since 9.0.0
*/
class EmptyContentSecurityPolicy {
/** @var string JS nonce to be used */
protected $jsNonce = null;
/** @var ?string JS nonce to be used */
protected ?string $jsNonce = null;
/** @var bool Whether strict-dynamic should be used */
protected $strictDynamicAllowed = null;
/** @var bool Whether strict-dynamic should be used on script-src-elem */
@ -460,7 +460,7 @@ class EmptyContentSecurityPolicy {
$policy .= "base-uri 'none';";
$policy .= "manifest-src 'self';";
if (!empty($this->allowedScriptDomains) || $this->evalScriptAllowed || $this->evalWasmAllowed) {
if (!empty($this->allowedScriptDomains) || $this->evalScriptAllowed || $this->evalWasmAllowed || is_string($this->jsNonce)) {
$policy .= 'script-src ';
$scriptSrc = '';
if (is_string($this->jsNonce)) {