fix: Use `CSP_NONCE` env variable in ContentSecurity Header

We should use 'cspNonceManager' for requesting the NONCE value, because it is doing the same as before, except that it honors a CPS_NONCE environment variable if available. Signed-off-by: Holger Hees <holger.hees@gmail.com>
author: Holger Hees <holger.hees@gmail.com> 2024-02-14 13:32:21 +0100
committer: Ferdinand Thiessen <opensource@fthiessen.de> 2024-08-13 09:52:08 +0200
commit: 73397cd75998c70ccbb5d2cfa87465b88ba23152 (patch)
tree: 3823f05900e380dcc84705e03978e7a397d77cf2 /lib/private/AppFramework
parent: 21db61817467169d225af1e4a96bb37f9feaf70e (diff)
download: nextcloud-server-73397cd75998c70ccbb5d2cfa87465b88ba23152.tar.gz
nextcloud-server-73397cd75998c70ccbb5d2cfa87465b88ba23152.zip
1 files changed, 1 insertions, 1 deletions
diff --git a/lib/private/AppFramework/Middleware/Security/CSPMiddleware.php b/lib/private/AppFramework/Middleware/Security/CSPMiddleware.php
index 2115c07c0fc..32e9b04cd1e 100644
--- a/lib/private/AppFramework/Middleware/Security/CSPMiddleware.php
+++ b/lib/private/AppFramework/Middleware/Security/CSPMiddleware.php
@@ -53,7 +53,7 @@ class CSPMiddleware extends Middleware {
 		$defaultPolicy = $this->contentSecurityPolicyManager->mergePolicies($defaultPolicy, $policy);
 
 		if ($this->cspNonceManager->browserSupportsCspV3()) {
-			$defaultPolicy->useJsNonce($this->csrfTokenManager->getToken()->getEncryptedValue());
+			$defaultPolicy->useJsNonce($this->cspNonceManager->getNonce());
 		}
 
 		$response->setContentSecurityPolicy($defaultPolicy);
author	Holger Hees <holger.hees@gmail.com>	2024-02-14 13:32:21 +0100
committer	Ferdinand Thiessen <opensource@fthiessen.de>	2024-08-13 09:52:08 +0200
commit	73397cd75998c70ccbb5d2cfa87465b88ba23152 (patch)
tree	3823f05900e380dcc84705e03978e7a397d77cf2 /lib/private/AppFramework
parent	21db61817467169d225af1e4a96bb37f9feaf70e (diff)
download	nextcloud-server-73397cd75998c70ccbb5d2cfa87465b88ba23152.tar.gz nextcloud-server-73397cd75998c70ccbb5d2cfa87465b88ba23152.zip