diff options
| author | Ferdinand Thiessen <opensource@fthiessen.de> | 2023-11-17 22:01:02 +0100 |
|---|---|---|
| committer | Ferdinand Thiessen <opensource@fthiessen.de> | 2023-11-17 22:01:02 +0100 |
| commit | ecf9f0a872cc310f232b6a7c1622a40441987bf6 (patch) | |
| tree | 758189d783aa777dc53876f86d85ef523aecb9ed /lib/public | |
| parent | 4fa2749fa8666e5ce1e6d5c0a98e7a29600b49c0 (diff) | |
| download | nextcloud-server-ecf9f0a872cc310f232b6a7c1622a40441987bf6.tar.gz nextcloud-server-ecf9f0a872cc310f232b6a7c1622a40441987bf6.zip | |
fix(CSP): Only add `strict-dynamic` when using nonces
Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
Diffstat (limited to 'lib/public')
| -rw-r--r-- | lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php | 12 |
1 files changed, 6 insertions, 6 deletions
diff --git a/lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php b/lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php index 960efa75d2c..aeee4a4ee74 100644 --- a/lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php +++ b/lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php @@ -37,8 +37,8 @@ namespace OCP\AppFramework\Http; * @since 9.0.0 */ class EmptyContentSecurityPolicy { - /** @var string Whether JS nonces should be used */ - protected $useJsNonce = null; + /** @var string JS nonce to be used */ + protected $jsNonce = null; /** @var bool Whether strict-dynamic should be used */ protected $strictDynamicAllowed = null; /** @var bool Whether strict-dynamic should be used on script-src-elem */ @@ -116,7 +116,7 @@ class EmptyContentSecurityPolicy { * @since 11.0.0 */ public function useJsNonce($nonce) { - $this->useJsNonce = $nonce; + $this->jsNonce = $nonce; return $this; } @@ -463,11 +463,11 @@ class EmptyContentSecurityPolicy { if (!empty($this->allowedScriptDomains) || $this->evalScriptAllowed || $this->evalWasmAllowed) { $policy .= 'script-src '; $scriptSrc = ''; - if (is_string($this->useJsNonce)) { + if (is_string($this->jsNonce)) { if ($this->strictDynamicAllowed) { $scriptSrc .= '\'strict-dynamic\' '; } - $scriptSrc .= '\'nonce-'.base64_encode($this->useJsNonce).'\''; + $scriptSrc .= '\'nonce-'.base64_encode($this->jsNonce).'\''; $allowedScriptDomains = array_flip($this->allowedScriptDomains); unset($allowedScriptDomains['\'self\'']); $this->allowedScriptDomains = array_flip($allowedScriptDomains); @@ -488,7 +488,7 @@ class EmptyContentSecurityPolicy { } // We only need to set this if 'strictDynamicAllowed' is not set because otherwise we can simply fall back to script-src - if ($this->strictDynamicAllowedOnScripts && !(is_string($this->useJsNonce) && $this->strictDynamicAllowed)) { + if ($this->strictDynamicAllowedOnScripts && is_string($this->jsNonce) && !$this->strictDynamicAllowed) { $policy .= 'script-src-elem \'strict-dynamic\' '; $policy .= $scriptSrc ?? ''; $policy .= ';'; |