1 files changed, 18 insertions, 53 deletions

diff --git a/lib/private/Security/CSP/ContentSecurityPolicyNonceManager.php b/lib/private/Security/CSP/ContentSecurityPolicyNonceManager.php
index f3329135727..993f74ae0e4 100644
--- a/lib/private/Security/CSP/ContentSecurityPolicyNonceManager.php
+++ b/lib/private/Security/CSP/ContentSecurityPolicyNonceManager.php
@@ -3,30 +3,8 @@
 declare(strict_types=1);
 
 /**
- * @copyright Copyright (c) 2016 Lukas Reschke <lukas@statuscode.ch>
- *
- * @author Christoph Wurst <christoph@winzerhof-wurst.at>
- * @author Joas Schilling <coding@schilljs.com>
- * @author Lukas Reschke <lukas@statuscode.ch>
- * @author Pavel Krasikov <klonishe@gmail.com>
- * @author Roeland Jago Douma <roeland@famdouma.nl>
- * @author Sam Bull <aa6bs0@sambull.org>
- *
- * @license GNU AGPL version 3 or any later version
- *
- * This program is free software: you can redistribute it and/or modify
- * it under the terms of the GNU Affero General Public License as
- * published by the Free Software Foundation, either version 3 of the
- * License, or (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU Affero General Public License for more details.
- *
- * You should have received a copy of the GNU Affero General Public License
- * along with this program. If not, see <http://www.gnu.org/licenses/>.
- *
+ * SPDX-FileCopyrightText: 2016 Nextcloud GmbH and Nextcloud contributors
+ * SPDX-License-Identifier: AGPL-3.0-or-later
  */
 namespace OC\Security\CSP;
 
@@ -38,32 +16,25 @@ use OCP\IRequest;
  * @package OC\Security\CSP
  */
 class ContentSecurityPolicyNonceManager {
-	/** @var CsrfTokenManager */
-	private $csrfTokenManager;
-	/** @var IRequest */
-	private $request;
-	/** @var string */
-	private $nonce = '';
+	private string $nonce = '';
 
-	/**
-	 * @param CsrfTokenManager $csrfTokenManager
-	 * @param IRequest $request
-	 */
-	public function __construct(CsrfTokenManager $csrfTokenManager,
-								IRequest $request) {
-		$this->csrfTokenManager = $csrfTokenManager;
-		$this->request = $request;
+	public function __construct(
+		private CsrfTokenManager $csrfTokenManager,
+		private IRequest $request,
+	) {
 	}
 
 	/**
-	 * Returns the current CSP nounce
-	 *
-	 * @return string
+	 * Returns the current CSP nonce
 	 */
 	public function getNonce(): string {
 		if ($this->nonce === '') {
 			if (empty($this->request->server['CSP_NONCE'])) {
-				$this->nonce = base64_encode($this->csrfTokenManager->getToken()->getEncryptedValue());
+				// Get the token from the CSRF token, we only use the "shared secret" part
+				// as the first part does not add any security / entropy to the token
+				// so it can be ignored to keep the nonce short while keeping the same randomness
+				$csrfSecret = explode(':', ($this->csrfTokenManager->getToken()->getEncryptedValue()));
+				$this->nonce = end($csrfSecret);
 			} else {
 				$this->nonce = $this->request->server['CSP_NONCE'];
 			}
@@ -74,22 +45,16 @@ class ContentSecurityPolicyNonceManager {
 
 	/**
 	 * Check if the browser supports CSP v3
-	 *
-	 * @return bool
 	 */
 	public function browserSupportsCspV3(): bool {
-		$browserWhitelist = [
-			Request::USER_AGENT_CHROME,
-			// Firefox 45+
-			'/^Mozilla\/5\.0 \([^)]+\) Gecko\/[0-9.]+ Firefox\/(4[5-9]|[5-9][0-9])\.[0-9.]+$/',
-			// Safari 12+
-			'/^Mozilla\/5\.0 \([^)]+\) AppleWebKit\/[0-9.]+ \(KHTML, like Gecko\) Version\/(?:1[2-9]|[2-9][0-9])\.[0-9]+(?:\.[0-9]+)? Safari\/[0-9.A-Z]+$/',
+		$browserBlocklist = [
+			Request::USER_AGENT_IE,
 		];
 
-		if ($this->request->isUserAgent($browserWhitelist)) {
-			return true;
+		if ($this->request->isUserAgent($browserBlocklist)) {
+			return false;
 		}
 
-		return false;
+		return true;
 	}
 }