Add support for CSP_NONCE server variable

Allow passing a nonce from the web server, allowing the possibility to enforce a strict CSP from the web server. Signed-off-by: Sam Bull <git@sambull.org> Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
author: Sam Bull <aa6bs0@sambull.org> 2019-07-08 20:54:45 +0100
committer: Roeland Jago Douma <roeland@famdouma.nl> 2019-07-18 12:16:29 +0200
commit: ea935f65fdc94b94b4509a139477b52f046dc03f (patch)
tree: c50f8360389cec594044ee35798da2534bd6a9a6 /lib/private/Security/CSP
parent: 3d0e0f23530160419f182ac9e896dea6f7bc9f59 (diff)
download: nextcloud-server-ea935f65fdc94b94b4509a139477b52f046dc03f.tar.gz
nextcloud-server-ea935f65fdc94b94b4509a139477b52f046dc03f.zip
1 files changed, 5 insertions, 1 deletions
diff --git a/lib/private/Security/CSP/ContentSecurityPolicyNonceManager.php b/lib/private/Security/CSP/ContentSecurityPolicyNonceManager.php
index 795d8cc8642..f4743369e6e 100644
--- a/lib/private/Security/CSP/ContentSecurityPolicyNonceManager.php
+++ b/lib/private/Security/CSP/ContentSecurityPolicyNonceManager.php
@@ -58,7 +58,11 @@ class ContentSecurityPolicyNonceManager {
 	 */
 	public function getNonce(): string {
 		if($this->nonce === '') {
-			$this->nonce = base64_encode($this->csrfTokenManager->getToken()->getEncryptedValue());
+			if (empty($this->request->server['CSP_NONCE'])) {
+				$this->nonce = base64_encode($this->csrfTokenManager->getToken()->getEncryptedValue());
+			} else {
+				$this->nonce = $this->request->server['CSP_NONCE'];
+			}
 		}
 
 		return $this->nonce;
author	Sam Bull <aa6bs0@sambull.org>	2019-07-08 20:54:45 +0100
committer	Roeland Jago Douma <roeland@famdouma.nl>	2019-07-18 12:16:29 +0200
commit	ea935f65fdc94b94b4509a139477b52f046dc03f (patch)
tree	c50f8360389cec594044ee35798da2534bd6a9a6 /lib/private/Security/CSP
parent	3d0e0f23530160419f182ac9e896dea6f7bc9f59 (diff)
download	nextcloud-server-ea935f65fdc94b94b4509a139477b52f046dc03f.tar.gz nextcloud-server-ea935f65fdc94b94b4509a139477b52f046dc03f.zip