fix: Make sure CSP nonce is not double base64 encoded

Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>

1 files changed, 2 insertions, 2 deletions

diff --git a/lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php b/lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php
index 5b4cf7eab8b..7772f2f3f3c 100644
--- a/lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php
+++ b/lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php
@@ -89,7 +89,7 @@ class EmptyContentSecurityPolicy {
 	}
 
 	/**
-	 * Use the according JS nonce
+	 * Use the according base64 encoded JS nonce
 	 * This method is only for CSPMiddleware, custom values are ignored in mergePolicies of ContentSecurityPolicyManager
 	 *
 	 * @param string $nonce
@@ -448,7 +448,7 @@ class EmptyContentSecurityPolicy {
 				if ($this->strictDynamicAllowed) {
 					$scriptSrc .= '\'strict-dynamic\' ';
 				}
-				$scriptSrc .= '\'nonce-'.base64_encode($this->jsNonce).'\'';
+				$scriptSrc .= '\'nonce-'.$this->jsNonce.'\'';
 				$allowedScriptDomains = array_flip($this->allowedScriptDomains);
 				unset($allowedScriptDomains['\'self\'']);
 				$this->allowedScriptDomains = array_flip($allowedScriptDomains);