Skip to content

Fix CSP for script-src with nonce on edge #43778

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
juliusknorr merged 3 commits into from
Mar 8, 2024
Merged

Fix CSP for script-src with nonce on edge #43778

Changes from 1 commit
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
b8c5bff
fix: Adjust user agent pattern for Edge
juliusknorr Feb 23, 2024
02d6d3f
fix: Add edge as supported user agent for CSPv3 nonces
juliusknorr Feb 23, 2024
78ba1b0
fix: Allow nonce in csp header also if no other reasons are given
juliusknorr Feb 23, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
fix: Allow nonce in csp header also if no other reasons are given 
Signed-off-by: Julius Härtl <[email protected]>
  • Loading branch information
@juliusknorr
juliusknorr committed Mar 8, 2024
commit 78ba1b0712a1fd15e408b4e84007d20b6bbe39d6
6 changes: 3 additions & 3 deletions lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -37,8 +37,8 @@
* @since 9.0.0
*/
class EmptyContentSecurityPolicy {
/** @var string JS nonce to be used */
protected $jsNonce = null;
/** @var ?string JS nonce to be used */
protected ?string $jsNonce = null;
/** @var bool Whether strict-dynamic should be used */
protected $strictDynamicAllowed = null;
/** @var bool Whether strict-dynamic should be used on script-src-elem */
Expand Down Expand Up @@ -460,7 +460,7 @@ public function buildPolicy() {
$policy .= "base-uri 'none';";
$policy .= "manifest-src 'self';";

if (!empty($this->allowedScriptDomains) || $this->evalScriptAllowed || $this->evalWasmAllowed) {
if (!empty($this->allowedScriptDomains) || $this->evalScriptAllowed || $this->evalWasmAllowed || is_string($this->jsNonce)) {
$policy .= 'script-src ';
$scriptSrc = '';
if (is_string($this->jsNonce)) {
Expand Down