From 5a513c924fbb82cfdf360c9837ba88a73e5a66a4 Mon Sep 17 00:00:00 2001
From: Ferdinand Thiessen <opensource@fthiessen.de>
Date: Fri, 22 Mar 2024 16:03:29 +0100
Subject: fix(CSP): Add CSP nonce by default and convert `browserSupportsCspV3`
 to blocklist

Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
---
 .../Security/CSP/ContentSecurityPolicyNonceManager.php      | 13 +++++--------
 1 file changed, 5 insertions(+), 8 deletions(-)

(limited to 'lib')

diff --git a/lib/private/Security/CSP/ContentSecurityPolicyNonceManager.php b/lib/private/Security/CSP/ContentSecurityPolicyNonceManager.php
index 6dbf86e5c88..827ceda7f93 100644
--- a/lib/private/Security/CSP/ContentSecurityPolicyNonceManager.php
+++ b/lib/private/Security/CSP/ContentSecurityPolicyNonceManager.php
@@ -65,17 +65,14 @@ class ContentSecurityPolicyNonceManager {
 	 * Check if the browser supports CSP v3
 	 */
 	public function browserSupportsCspV3(): bool {
-		$browserWhitelist = [
-			Request::USER_AGENT_CHROME,
-			Request::USER_AGENT_FIREFOX,
-			Request::USER_AGENT_SAFARI,
-			Request::USER_AGENT_MS_EDGE,
+		$browserBlocklist = [
+			Request::USER_AGENT_IE,
 		];
 
-		if ($this->request->isUserAgent($browserWhitelist)) {
-			return true;
+		if ($this->request->isUserAgent($browserBlocklist)) {
+			return false;
 		}
 
-		return false;
+		return true;
 	}
 }
-- 
cgit v1.2.3