aboutsummaryrefslogtreecommitdiffstats
path: root/lib/private/Security/CSP
diff options
context:
space:
mode:
Diffstat (limited to 'lib/private/Security/CSP')
-rw-r--r--lib/private/Security/CSP/ContentSecurityPolicyManager.php6
-rw-r--r--lib/private/Security/CSP/ContentSecurityPolicyNonceManager.php6
2 files changed, 8 insertions, 4 deletions
diff --git a/lib/private/Security/CSP/ContentSecurityPolicyManager.php b/lib/private/Security/CSP/ContentSecurityPolicyManager.php
index 77ecceb03c3..e9d6b2945a8 100644
--- a/lib/private/Security/CSP/ContentSecurityPolicyManager.php
+++ b/lib/private/Security/CSP/ContentSecurityPolicyManager.php
@@ -52,13 +52,13 @@ class ContentSecurityPolicyManager implements IContentSecurityPolicyManager {
EmptyContentSecurityPolicy $originalPolicy,
): ContentSecurityPolicy {
foreach ((object)(array)$originalPolicy as $name => $value) {
- $setter = 'set'.ucfirst($name);
+ $setter = 'set' . ucfirst($name);
if (\is_array($value)) {
- $getter = 'get'.ucfirst($name);
+ $getter = 'get' . ucfirst($name);
$currentValues = \is_array($defaultPolicy->$getter()) ? $defaultPolicy->$getter() : [];
$defaultPolicy->$setter(array_values(array_unique(array_merge($currentValues, $value))));
} elseif (\is_bool($value)) {
- $getter = 'is'.ucfirst($name);
+ $getter = 'is' . ucfirst($name);
$currentValue = $defaultPolicy->$getter();
// true wins over false
if ($value > $currentValue) {
diff --git a/lib/private/Security/CSP/ContentSecurityPolicyNonceManager.php b/lib/private/Security/CSP/ContentSecurityPolicyNonceManager.php
index 0f637e5afd6..993f74ae0e4 100644
--- a/lib/private/Security/CSP/ContentSecurityPolicyNonceManager.php
+++ b/lib/private/Security/CSP/ContentSecurityPolicyNonceManager.php
@@ -30,7 +30,11 @@ class ContentSecurityPolicyNonceManager {
public function getNonce(): string {
if ($this->nonce === '') {
if (empty($this->request->server['CSP_NONCE'])) {
- $this->nonce = base64_encode($this->csrfTokenManager->getToken()->getEncryptedValue());
+ // Get the token from the CSRF token, we only use the "shared secret" part
+ // as the first part does not add any security / entropy to the token
+ // so it can be ignored to keep the nonce short while keeping the same randomness
+ $csrfSecret = explode(':', ($this->csrfTokenManager->getToken()->getEncryptedValue()));
+ $this->nonce = end($csrfSecret);
} else {
$this->nonce = $this->request->server['CSP_NONCE'];
}
generated by cgit v1.2.3 (git 2.39.1) at 2025-08-15 12:57:39 +0000