Add CSP policy merge priority for booleans

When two booleans conflict when merging CSP policies, true will win.

Signed-off-by: Vincent Petry <vincent@nextcloud.com>

2 files changed, 13 insertions, 1 deletions

diff --git a/lib/private/Security/CSP/ContentSecurityPolicy.php b/lib/private/Security/CSP/ContentSecurityPolicy.php
index 8a72934d4c9..8d9551c8978 100644
--- a/lib/private/Security/CSP/ContentSecurityPolicy.php
+++ b/lib/private/Security/CSP/ContentSecurityPolicy.php
@@ -246,6 +246,13 @@ class ContentSecurityPolicy extends \OCP\AppFramework\Http\ContentSecurityPolicy
 	}
 
 	/**
+	 * @return boolean
+	 */
+	public function isStrictDynamicAllowed(): bool {
+		return $this->strictDynamicAllowed;
+	}
+
+	/**
 	 * @param boolean $strictDynamicAllowed
 	 */
 	public function setStrictDynamicAllowed(bool $strictDynamicAllowed) {
diff --git a/lib/private/Security/CSP/ContentSecurityPolicyManager.php b/lib/private/Security/CSP/ContentSecurityPolicyManager.php
index ff770435eda..4930dcb759c 100644
--- a/lib/private/Security/CSP/ContentSecurityPolicyManager.php
+++ b/lib/private/Security/CSP/ContentSecurityPolicyManager.php
@@ -82,7 +82,12 @@ class ContentSecurityPolicyManager implements IContentSecurityPolicyManager {
 				$currentValues = \is_array($defaultPolicy->$getter()) ? $defaultPolicy->$getter() : [];
 				$defaultPolicy->$setter(array_values(array_unique(array_merge($currentValues, $value))));
 			} elseif (\is_bool($value)) {
-				$defaultPolicy->$setter($value);
+				$getter = 'is'.ucfirst($name);
+				$currentValue = $defaultPolicy->$getter();
+				// true wins over false
+				if ($value > $currentValue) {
+					$defaultPolicy->$setter($value);
+				}
 			}
 		}