From 4d8e1f6c679b062a5eaa0b651863890c37f334ce Mon Sep 17 00:00:00 2001
From: Roeland Jago Douma <roeland@famdouma.nl>
Date: Sat, 16 Mar 2019 20:19:43 +0100
Subject: [PATCH] CSP: set nonce for iframes

This for now uses the jsNonce. That way we can easily backport it.
For 17 I will fix it properly.

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
---
 lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php b/lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php
index 3fcef1d0efd..0a77e27d8c0 100644
--- a/lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php
+++ b/lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php
@@ -468,7 +468,11 @@ class EmptyContentSecurityPolicy {
 		}
 
 		if(!empty($this->allowedFrameDomains)) {
-			$policy .= 'frame-src ' . implode(' ', $this->allowedFrameDomains);
+			$policy .= 'frame-src ';
+			if(is_string($this->useJsNonce)) {
+				$policy .= '\'nonce-' . base64_encode($this->useJsNonce) . '\' ';
+			}
+			$policy .= implode(' ', $this->allowedFrameDomains);
 			$policy .= ';';
 		}
 
-- 
2.39.5