CSP: set nonce for iframes

This for now uses the jsNonce. That way we can easily backport it. For 17 I will fix it properly. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
author: Roeland Jago Douma <roeland@famdouma.nl> 2019-03-16 20:19:43 +0100
committer: Roeland Jago Douma <roeland@famdouma.nl> 2019-03-16 20:20:03 +0100
commit: 4d8e1f6c679b062a5eaa0b651863890c37f334ce (patch)
tree: c32ba874a641bf5c542ef368f82618b163a7ae38 /lib/public
parent: f8988c257c9217e968a377ce38ea558862948118 (diff)
download: nextcloud-server-4d8e1f6c679b062a5eaa0b651863890c37f334ce.tar.gz
nextcloud-server-4d8e1f6c679b062a5eaa0b651863890c37f334ce.zip
1 files changed, 5 insertions, 1 deletions
diff --git a/lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php b/lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php
index 3fcef1d0efd..0a77e27d8c0 100644
--- a/lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php
+++ b/lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php
@@ -468,7 +468,11 @@ class EmptyContentSecurityPolicy {
 		}
 
 		if(!empty($this->allowedFrameDomains)) {
-			$policy .= 'frame-src ' . implode(' ', $this->allowedFrameDomains);
+			$policy .= 'frame-src ';
+			if(is_string($this->useJsNonce)) {
+				$policy .= '\'nonce-' . base64_encode($this->useJsNonce) . '\' ';
+			}
+			$policy .= implode(' ', $this->allowedFrameDomains);
 			$policy .= ';';
 		}
author	Roeland Jago Douma <roeland@famdouma.nl>	2019-03-16 20:19:43 +0100
committer	Roeland Jago Douma <roeland@famdouma.nl>	2019-03-16 20:20:03 +0100
commit	4d8e1f6c679b062a5eaa0b651863890c37f334ce (patch)
tree	c32ba874a641bf5c542ef368f82618b163a7ae38 /lib/public
parent	f8988c257c9217e968a377ce38ea558862948118 (diff)
download	nextcloud-server-4d8e1f6c679b062a5eaa0b651863890c37f334ce.tar.gz nextcloud-server-4d8e1f6c679b062a5eaa0b651863890c37f334ce.zip