diff options
| author | Lukas Reschke <lukas@statuscode.ch> | 2016-10-26 09:41:18 +0200 |
|---|---|---|
| committer | Lukas Reschke <lukas@statuscode.ch> | 2016-10-26 09:41:18 +0200 |
| commit | fdcb8edd78c645e722716fec1d12fa8fac750553 (patch) | |
| tree | 8c7b7016e55e7fcded15f155c53d95dc838238e0 /lib | |
| parent | a973c1bfb9b8ac444009b19fd1107483676dfd25 (diff) | |
| download | nextcloud-server-fdcb8edd78c645e722716fec1d12fa8fac750553.tar.gz nextcloud-server-fdcb8edd78c645e722716fec1d12fa8fac750553.zip | |
Add nonce also to legacy CSP
Pages that do not use the AppFramework have its CSP inherited from `\OC_Response::addSecurityHeaders`. While those are not many anymore, there are some examples such as the "Help" page.
To stay completely backwards-compatible we should also add the nonce to the legacy CSP response.
To test that open your browser console and open the help page. Without this you will get a JS error. With this you won't.
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/private/legacy/response.php | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/lib/private/legacy/response.php b/lib/private/legacy/response.php index 88725d5e30b..69c84e2df68 100644 --- a/lib/private/legacy/response.php +++ b/lib/private/legacy/response.php @@ -247,7 +247,7 @@ class OC_Response { * @see \OCP\AppFramework\Http\Response::getHeaders */ $policy = 'default-src \'self\'; ' - . 'script-src \'self\' \'unsafe-eval\'; ' + . 'script-src \'self\' \'unsafe-eval\' \'nonce-'.\OC::$server->getContentSecurityPolicyNonceManager()->getNonce().'\'; ' . 'style-src \'self\' \'unsafe-inline\'; ' . 'frame-src *; ' . 'img-src * data: blob:; ' |