2 files changed, 10 insertions, 20 deletions
diff --git a/lib/private/AppFramework/DependencyInjection/DIContainer.php b/lib/private/AppFramework/DependencyInjection/DIContainer.php
index 97faa0edf49..8fe9b4dca03 100644
--- a/lib/private/AppFramework/DependencyInjection/DIContainer.php
+++ b/lib/private/AppFramework/DependencyInjection/DIContainer.php
@@ -380,7 +380,8 @@ class DIContainer extends SimpleContainer implements IAppContainer {
 				$app->isLoggedIn(),
 				$app->isAdminUser(),
 				$app->getServer()->getContentSecurityPolicyManager(),
-				$app->getServer()->getCsrfTokenManager()
+				$app->getServer()->getCsrfTokenManager(),
+				$app->getServer()->getContentSecurityPolicyNonceManager()
 			);
 		});
 
diff --git a/lib/private/AppFramework/Middleware/Security/SecurityMiddleware.php b/lib/private/AppFramework/Middleware/Security/SecurityMiddleware.php
index 6c33c0023ea..183e55740ea 100644
--- a/lib/private/AppFramework/Middleware/Security/SecurityMiddleware.php
+++ b/lib/private/AppFramework/Middleware/Security/SecurityMiddleware.php
@@ -36,6 +36,7 @@ use OC\AppFramework\Middleware\Security\Exceptions\NotLoggedInException;
 use OC\AppFramework\Middleware\Security\Exceptions\StrictCookieMissingException;
 use OC\AppFramework\Utility\ControllerMethodReflector;
 use OC\Security\CSP\ContentSecurityPolicyManager;
+use OC\Security\CSP\ContentSecurityPolicyNonceManager;
 use OC\Security\CSRF\CsrfTokenManager;
 use OCP\AppFramework\Http\ContentSecurityPolicy;
 use OCP\AppFramework\Http\EmptyContentSecurityPolicy;
@@ -80,6 +81,8 @@ class SecurityMiddleware extends Middleware {
 	private $contentSecurityPolicyManager;
 	/** @var CsrfTokenManager */
 	private $csrfTokenManager;
+	/** @var ContentSecurityPolicyNonceManager */
+	private $cspNonceManager;
 
 	/**
 	 * @param IRequest $request
@@ -92,6 +95,7 @@ class SecurityMiddleware extends Middleware {
 	 * @param bool $isAdminUser
 	 * @param ContentSecurityPolicyManager $contentSecurityPolicyManager
 	 * @param CSRFTokenManager $csrfTokenManager
+	 * @param ContentSecurityPolicyNonceManager $cspNonceManager
 	 */
 	public function __construct(IRequest $request,
 								ControllerMethodReflector $reflector,
@@ -102,7 +106,8 @@ class SecurityMiddleware extends Middleware {
 								$isLoggedIn,
 								$isAdminUser,
 								ContentSecurityPolicyManager $contentSecurityPolicyManager,
-								CsrfTokenManager $csrfTokenManager) {
+								CsrfTokenManager $csrfTokenManager,
+								ContentSecurityPolicyNonceManager $cspNonceManager) {
 		$this->navigationManager = $navigationManager;
 		$this->request = $request;
 		$this->reflector = $reflector;
@@ -113,6 +118,7 @@ class SecurityMiddleware extends Middleware {
 		$this->isAdminUser = $isAdminUser;
 		$this->contentSecurityPolicyManager = $contentSecurityPolicyManager;
 		$this->csrfTokenManager = $csrfTokenManager;
+		$this->cspNonceManager = $cspNonceManager;
 	}
 
 
@@ -177,23 +183,6 @@ class SecurityMiddleware extends Middleware {
 
 	}
 
-	private function browserSupportsCspV3() {
-		$browserWhitelist = [
-			// Chrome 40+
-			'/^Mozilla\/5\.0 \([^)]+\) AppleWebKit\/[0-9.]+ \(KHTML, like Gecko\) Chrome\/[4-9][0-9].[0-9.]+ (Mobile Safari|Safari)\/[0-9.]+$/',
-			// Firefox 45+
-			'/^Mozilla\/5\.0 \([^)]+\) Gecko\/[0-9.]+ Firefox\/(4[5-9]|[5-9][0-9])\.[0-9.]+$/',
-			// Safari 10+
-			'/^Mozilla\/5\.0 \([^)]+\) AppleWebKit\/[0-9.]+ \(KHTML, like Gecko\) Version\/1[0-9.]+ Safari\/[0-9.A-Z]+$/',
-		];
-
-		if($this->request->isUserAgent($browserWhitelist)) {
-			return true;
-		}
-
-		return false;
-	}
-
 	/**
 	 * Performs the default CSP modifications that may be injected by other
 	 * applications
@@ -213,7 +202,7 @@ class SecurityMiddleware extends Middleware {
 		$defaultPolicy = $this->contentSecurityPolicyManager->getDefaultPolicy();
 		$defaultPolicy = $this->contentSecurityPolicyManager->mergePolicies($defaultPolicy, $policy);
 
-		if($this->browserSupportsCspV3()) {
+		if($this->cspNonceManager->browserSupportsCspV3()) {
 			$defaultPolicy->useJsNonce($this->csrfTokenManager->getToken()->getEncryptedValue());
 		}