aboutsummaryrefslogtreecommitdiffstats
path: root/lib
diff options
context:
space:
mode:
authorFerdinand Thiessen <opensource@fthiessen.de>2023-11-17 22:01:02 +0100
committerFerdinand Thiessen <opensource@fthiessen.de>2023-11-17 22:01:02 +0100
commitecf9f0a872cc310f232b6a7c1622a40441987bf6 (patch)
tree758189d783aa777dc53876f86d85ef523aecb9ed /lib
parent4fa2749fa8666e5ce1e6d5c0a98e7a29600b49c0 (diff)
downloadnextcloud-server-ecf9f0a872cc310f232b6a7c1622a40441987bf6.tar.gz
nextcloud-server-ecf9f0a872cc310f232b6a7c1622a40441987bf6.zip
fix(CSP): Only add `strict-dynamic` when using nonces
Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
Diffstat (limited to 'lib')
-rw-r--r--lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php12
1 files changed, 6 insertions, 6 deletions
diff --git a/lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php b/lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php
index 960efa75d2c..aeee4a4ee74 100644
--- a/lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php
+++ b/lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php
@@ -37,8 +37,8 @@ namespace OCP\AppFramework\Http;
* @since 9.0.0
*/
class EmptyContentSecurityPolicy {
- /** @var string Whether JS nonces should be used */
- protected $useJsNonce = null;
+ /** @var string JS nonce to be used */
+ protected $jsNonce = null;
/** @var bool Whether strict-dynamic should be used */
protected $strictDynamicAllowed = null;
/** @var bool Whether strict-dynamic should be used on script-src-elem */
@@ -116,7 +116,7 @@ class EmptyContentSecurityPolicy {
* @since 11.0.0
*/
public function useJsNonce($nonce) {
- $this->useJsNonce = $nonce;
+ $this->jsNonce = $nonce;
return $this;
}
@@ -463,11 +463,11 @@ class EmptyContentSecurityPolicy {
if (!empty($this->allowedScriptDomains) || $this->evalScriptAllowed || $this->evalWasmAllowed) {
$policy .= 'script-src ';
$scriptSrc = '';
- if (is_string($this->useJsNonce)) {
+ if (is_string($this->jsNonce)) {
if ($this->strictDynamicAllowed) {
$scriptSrc .= '\'strict-dynamic\' ';
}
- $scriptSrc .= '\'nonce-'.base64_encode($this->useJsNonce).'\'';
+ $scriptSrc .= '\'nonce-'.base64_encode($this->jsNonce).'\'';
$allowedScriptDomains = array_flip($this->allowedScriptDomains);
unset($allowedScriptDomains['\'self\'']);
$this->allowedScriptDomains = array_flip($allowedScriptDomains);
@@ -488,7 +488,7 @@ class EmptyContentSecurityPolicy {
}
// We only need to set this if 'strictDynamicAllowed' is not set because otherwise we can simply fall back to script-src
- if ($this->strictDynamicAllowedOnScripts && !(is_string($this->useJsNonce) && $this->strictDynamicAllowed)) {
+ if ($this->strictDynamicAllowedOnScripts && is_string($this->jsNonce) && !$this->strictDynamicAllowed) {
$policy .= 'script-src-elem \'strict-dynamic\' ';
$policy .= $scriptSrc ?? '';
$policy .= ';';