Skip to content

Add nonce also to legacy CSP #1920

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
rullzer merged 2 commits into from
Oct 26, 2016
Merged

Add nonce also to legacy CSP #1920

Changes from 1 commit
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
fdcb8ed
Add nonce also to legacy CSP
LukasReschke Oct 26, 2016
c20ab00
Identify Chromium as Chrome
nickvergessen Oct 26, 2016
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Next Next commit
Add nonce also to legacy CSP 
Pages that do not use the AppFramework have its CSP inherited from `\OC_Response::addSecurityHeaders`. While those are not many anymore, there are some examples such as the "Help" page.

To stay completely backwards-compatible we should also add the nonce to the legacy CSP response.

To test that open your browser console and open the help page. Without this you will get a JS error. With this you won't.

Signed-off-by: Lukas Reschke <[email protected]>
  • Loading branch information
@LukasReschke
LukasReschke committed Oct 26, 2016
commit fdcb8edd78c645e722716fec1d12fa8fac750553
2 changes: 1 addition & 1 deletion lib/private/legacy/response.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -247,7 +247,7 @@ public static function addSecurityHeaders() {
* @see \OCP\AppFramework\Http\Response::getHeaders
*/
$policy = 'default-src \'self\'; '
. 'script-src \'self\' \'unsafe-eval\'; '
. 'script-src \'self\' \'unsafe-eval\' \'nonce-'.\OC::$server->getContentSecurityPolicyNonceManager()->getNonce().'\'; '
. 'style-src \'self\' \'unsafe-inline\'; '
. 'frame-src *; '
. 'img-src * data: blob:; '
Expand Down