From 78ba1b0712a1fd15e408b4e84007d20b6bbe39d6 Mon Sep 17 00:00:00 2001
From: Julius Härtl <jus@bitgrid.net>
Date: Fri, 23 Feb 2024 10:53:12 +0100
Subject: fix: Allow nonce in csp header also if no other reasons are given
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Julius Härtl <jus@bitgrid.net>
---
 lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

(limited to 'lib/public')

diff --git a/lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php b/lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php
index aeee4a4ee74..6662a302d7f 100644
--- a/lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php
+++ b/lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php
@@ -37,8 +37,8 @@ namespace OCP\AppFramework\Http;
  * @since 9.0.0
  */
 class EmptyContentSecurityPolicy {
-	/** @var string JS nonce to be used */
-	protected $jsNonce = null;
+	/** @var ?string JS nonce to be used */
+	protected ?string $jsNonce = null;
 	/** @var bool Whether strict-dynamic should be used */
 	protected $strictDynamicAllowed = null;
 	/** @var bool Whether strict-dynamic should be used on script-src-elem */
@@ -460,7 +460,7 @@ class EmptyContentSecurityPolicy {
 		$policy .= "base-uri 'none';";
 		$policy .= "manifest-src 'self';";
 
-		if (!empty($this->allowedScriptDomains) || $this->evalScriptAllowed || $this->evalWasmAllowed) {
+		if (!empty($this->allowedScriptDomains) || $this->evalScriptAllowed || $this->evalWasmAllowed || is_string($this->jsNonce)) {
 			$policy .= 'script-src ';
 			$scriptSrc = '';
 			if (is_string($this->jsNonce)) {
-- 
cgit v1.2.3