diff options
| author | Ferdinand Thiessen <opensource@fthiessen.de> | 2024-08-01 23:06:55 +0200 |
|---|---|---|
| committer | Ferdinand Thiessen <opensource@fthiessen.de> | 2024-08-13 10:32:44 +0200 |
| commit | 2916e5df7e08fc588e752beaf486d907112a34ee (patch) | |
| tree | 968c83adcd9a70717bda5d1d1a5e06f23a158097 /lib/private/Security | |
| parent | 009761be58c4485f29a8d3382e51fb4e1bfbeec4 (diff) | |
| download | nextcloud-server-2916e5df7e08fc588e752beaf486d907112a34ee.tar.gz nextcloud-server-2916e5df7e08fc588e752beaf486d907112a34ee.zip | |
feat: Provide CSP nonce as `<meta>` element
This way we use the CSP nonce for dynamically loaded scripts.
Important to notice: The CSP nonce must NOT be injected in `content` as
this can lead to value exfiltration using e.g. side-channel attacts (CSS selectors).
Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
Diffstat (limited to 'lib/private/Security')
| -rw-r--r-- | lib/private/Security/CSP/ContentSecurityPolicyNonceManager.php | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/lib/private/Security/CSP/ContentSecurityPolicyNonceManager.php b/lib/private/Security/CSP/ContentSecurityPolicyNonceManager.php index 2046c240291..993f74ae0e4 100644 --- a/lib/private/Security/CSP/ContentSecurityPolicyNonceManager.php +++ b/lib/private/Security/CSP/ContentSecurityPolicyNonceManager.php @@ -33,7 +33,8 @@ class ContentSecurityPolicyNonceManager { // Get the token from the CSRF token, we only use the "shared secret" part // as the first part does not add any security / entropy to the token // so it can be ignored to keep the nonce short while keeping the same randomness - $this->nonce = end(explode(':', ($this->csrfTokenManager->getToken()->getEncryptedValue()))); + $csrfSecret = explode(':', ($this->csrfTokenManager->getToken()->getEncryptedValue())); + $this->nonce = end($csrfSecret); } else { $this->nonce = $this->request->server['CSP_NONCE']; } |