diff options
Diffstat (limited to 'lib/private/Security/CSP/ContentSecurityPolicyNonceManager.php')
| -rw-r--r-- | lib/private/Security/CSP/ContentSecurityPolicyNonceManager.php | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/lib/private/Security/CSP/ContentSecurityPolicyNonceManager.php b/lib/private/Security/CSP/ContentSecurityPolicyNonceManager.php index 0f637e5afd6..993f74ae0e4 100644 --- a/lib/private/Security/CSP/ContentSecurityPolicyNonceManager.php +++ b/lib/private/Security/CSP/ContentSecurityPolicyNonceManager.php @@ -30,7 +30,11 @@ class ContentSecurityPolicyNonceManager { public function getNonce(): string { if ($this->nonce === '') { if (empty($this->request->server['CSP_NONCE'])) { - $this->nonce = base64_encode($this->csrfTokenManager->getToken()->getEncryptedValue()); + // Get the token from the CSRF token, we only use the "shared secret" part + // as the first part does not add any security / entropy to the token + // so it can be ignored to keep the nonce short while keeping the same randomness + $csrfSecret = explode(':', ($this->csrfTokenManager->getToken()->getEncryptedValue())); + $this->nonce = end($csrfSecret); } else { $this->nonce = $this->request->server['CSP_NONCE']; } |