diff --git a/lib/public/AppFramework/Http/DataDisplayResponse.php b/lib/public/AppFramework/Http/DataDisplayResponse.php
index 4932b9db6688e53f4f92023dbff2a5d76100247b..3ab64c470e5dd0d79cec1be0a2fa67cd4b864fd9 100644
--- a/lib/public/AppFramework/Http/DataDisplayResponse.php
+++ b/lib/public/AppFramework/Http/DataDisplayResponse.php
@@ -49,6 +49,8 @@ class DataDisplayResponse extends Response {
 	 */
 	public function __construct($data='', $statusCode=Http::STATUS_OK,
 	                            $headers=[]) {
+		parent::__construct();
+
 		$this->data = $data;
 		$this->setStatus($statusCode);
 		$this->setHeaders(array_merge($this->getHeaders(), $headers));
diff --git a/lib/public/AppFramework/Http/DataResponse.php b/lib/public/AppFramework/Http/DataResponse.php
index 17e68134438904aa54b45af7d78c10c1823a72c8..9c7a386f7cdc25881025e9ce52304777ac114b64 100644
--- a/lib/public/AppFramework/Http/DataResponse.php
+++ b/lib/public/AppFramework/Http/DataResponse.php
@@ -52,6 +52,8 @@ class DataResponse extends Response {
 	 */
 	public function __construct($data=array(), $statusCode=Http::STATUS_OK,
 	                            array $headers=array()) {
+		parent::__construct();
+
 		$this->data = $data;
 		$this->setStatus($statusCode);
 		$this->setHeaders(array_merge($this->getHeaders(), $headers));
diff --git a/lib/public/AppFramework/Http/DownloadResponse.php b/lib/public/AppFramework/Http/DownloadResponse.php
index 46f318d9b82771cb6587291804349961bad189b5..774a6287cb2a483304175609945c0de2fcc4c353 100644
--- a/lib/public/AppFramework/Http/DownloadResponse.php
+++ b/lib/public/AppFramework/Http/DownloadResponse.php
@@ -30,7 +30,7 @@ namespace OCP\AppFramework\Http;
  * Prompts the user to download the a file
  * @since 7.0.0
  */
-class DownloadResponse extends \OCP\AppFramework\Http\Response {
+class DownloadResponse extends Response {
 
 	private $filename;
 	private $contentType;
@@ -42,6 +42,8 @@ class DownloadResponse extends \OCP\AppFramework\Http\Response {
 	 * @since 7.0.0
 	 */
 	public function __construct($filename, $contentType) {
+		parent::__construct();
+
 		$this->filename = $filename;
 		$this->contentType = $contentType;
 
diff --git a/lib/public/AppFramework/Http/FileDisplayResponse.php b/lib/public/AppFramework/Http/FileDisplayResponse.php
index ab23701f89370f92757434c7c8670ac1c1bc1255..2d2dd29e6a1b3f66c350ee5c9cf7415a2dfd6086 100644
--- a/lib/public/AppFramework/Http/FileDisplayResponse.php
+++ b/lib/public/AppFramework/Http/FileDisplayResponse.php
@@ -45,6 +45,8 @@ class FileDisplayResponse extends Response implements ICallbackResponse {
 	 */
 	public function __construct($file, $statusCode=Http::STATUS_OK,
 								$headers=[]) {
+		parent::__construct();
+
 		$this->file = $file;
 		$this->setStatus($statusCode);
 		$this->setHeaders(array_merge($this->getHeaders(), $headers));
diff --git a/lib/public/AppFramework/Http/JSONResponse.php b/lib/public/AppFramework/Http/JSONResponse.php
index 1b8b676e6013c066e57de2ef54560df84e0cf68c..b80434079bac84d5ac4378dfbf53d842137ff27d 100644
--- a/lib/public/AppFramework/Http/JSONResponse.php
+++ b/lib/public/AppFramework/Http/JSONResponse.php
@@ -53,6 +53,8 @@ class JSONResponse extends Response {
 	 * @since 6.0.0
 	 */
 	public function __construct($data=array(), $statusCode=Http::STATUS_OK) {
+		parent::__construct();
+
 		$this->data = $data;
 		$this->setStatus($statusCode);
 		$this->addHeader('Content-Type', 'application/json; charset=utf-8');
diff --git a/lib/public/AppFramework/Http/NotFoundResponse.php b/lib/public/AppFramework/Http/NotFoundResponse.php
index 7f068a4c413013dd0b5e5fb787fe0249fa1cd73b..6d764ec526e7b56444439e002446c70fa548a846 100644
--- a/lib/public/AppFramework/Http/NotFoundResponse.php
+++ b/lib/public/AppFramework/Http/NotFoundResponse.php
@@ -35,6 +35,8 @@ class NotFoundResponse extends Response {
 	 * @since 8.1.0
 	 */
 	public function __construct() {
+		parent::__construct();
+
 		$this->setStatus(404);
 	}
 
diff --git a/lib/public/AppFramework/Http/OCSResponse.php b/lib/public/AppFramework/Http/OCSResponse.php
index 3480aa172ff0351e8b28257c015780b536f782f7..5f56913a45a8af68cab6dc1c77dc3e4a4e53cc6f 100644
--- a/lib/public/AppFramework/Http/OCSResponse.php
+++ b/lib/public/AppFramework/Http/OCSResponse.php
@@ -59,6 +59,8 @@ class OCSResponse extends Response {
 	public function __construct($format, $statuscode, $message,
 								$data=[], $itemscount='',
 								$itemsperpage='') {
+		parent::__construct();
+
 		$this->format = $format;
 		$this->statuscode = $statuscode;
 		$this->message = $message;
diff --git a/lib/public/AppFramework/Http/RedirectResponse.php b/lib/public/AppFramework/Http/RedirectResponse.php
index 0ce3a64cb38fdaf1bb3d4f84a4dbdda9f7692d6e..dc44bbe999c9fd11917df43ccfcd70a76e0c34ae 100644
--- a/lib/public/AppFramework/Http/RedirectResponse.php
+++ b/lib/public/AppFramework/Http/RedirectResponse.php
@@ -43,6 +43,8 @@ class RedirectResponse extends Response {
 	 * @since 7.0.0
 	 */
 	public function __construct($redirectURL) {
+		parent::__construct();
+
 		$this->redirectURL = $redirectURL;
 		$this->setStatus(Http::STATUS_SEE_OTHER);
 		$this->addHeader('Location', $redirectURL);
diff --git a/lib/public/AppFramework/Http/Response.php b/lib/public/AppFramework/Http/Response.php
index a6f5afd3c185edb78e3b673b0dfcf1284f8edd1d..98c0a7f5f70cfb185170c966e3aa6bed3a6452bc 100644
--- a/lib/public/AppFramework/Http/Response.php
+++ b/lib/public/AppFramework/Http/Response.php
@@ -89,6 +89,15 @@ class Response {
 	/** @var array */
 	private $throttleMetadata = [];
 
+	/**
+	 * Response constructor.
+	 *
+	 * @since 17.0.0
+	 */
+	public function __construct() {
+		$this->setContentSecurityPolicy(new EmptyContentSecurityPolicy());
+	}
+
 	/**
 	 * Caches the response
 	 * @param int $cacheSeconds the amount of seconds that should be cached
diff --git a/lib/public/AppFramework/Http/StreamResponse.php b/lib/public/AppFramework/Http/StreamResponse.php
index 8ffc94dc8f1b758d6a6efe07994c93e45d3eaa5c..d8a183bba5045c2e783517f61fa9100d193924f2 100644
--- a/lib/public/AppFramework/Http/StreamResponse.php
+++ b/lib/public/AppFramework/Http/StreamResponse.php
@@ -42,6 +42,8 @@ class StreamResponse extends Response implements ICallbackResponse {
 	 * @since 8.1.0
 	 */
 	public function __construct ($filePath) {
+		parent::__construct();
+
 		$this->filePath = $filePath;
 	}
 
diff --git a/lib/public/AppFramework/Http/TemplateResponse.php b/lib/public/AppFramework/Http/TemplateResponse.php
index f6436038cc355d021325cfbca7bbebd15206d85c..334928cc03c2a0b156362a52e5ff1dce55c0dea1 100644
--- a/lib/public/AppFramework/Http/TemplateResponse.php
+++ b/lib/public/AppFramework/Http/TemplateResponse.php
@@ -75,10 +75,14 @@ class TemplateResponse extends Response {
 	 */
 	public function __construct($appName, $templateName, array $params=array(),
 	                            $renderAs='user') {
+		parent::__construct();
+
 		$this->templateName = $templateName;
 		$this->appName = $appName;
 		$this->params = $params;
 		$this->renderAs = $renderAs;
+
+		$this->setContentSecurityPolicy(new ContentSecurityPolicy());
 	}
 
 
diff --git a/lib/public/AppFramework/Http/ZipResponse.php b/lib/public/AppFramework/Http/ZipResponse.php
index 630efb38c7d73c42a64d5f4a34f100c7ba65e1f8..bec0812ab0cd46e13c81bd87d3b2f83d1cc424dd 100644
--- a/lib/public/AppFramework/Http/ZipResponse.php
+++ b/lib/public/AppFramework/Http/ZipResponse.php
@@ -44,6 +44,8 @@ class ZipResponse extends Response implements ICallbackResponse {
 	 * @since 15.0.0
 	 */
 	public function __construct(IRequest $request, string $name = 'output') {
+		parent::__construct();
+
 		$this->name = $name;
 		$this->request = $request;
 	}
diff --git a/tests/lib/AppFramework/Controller/ControllerTest.php b/tests/lib/AppFramework/Controller/ControllerTest.php
index 3d1d7e66e8489140da74a80589fc778b16af5b99..c37a2a3456c26bd66f1cf6d2134ec06c0f3e97bb 100644
--- a/tests/lib/AppFramework/Controller/ControllerTest.php
+++ b/tests/lib/AppFramework/Controller/ControllerTest.php
@@ -116,7 +116,7 @@ class ControllerTest extends \Test\TestCase {
 			'test' => 'something',
 			'Cache-Control' => 'no-cache, no-store, must-revalidate',
 			'Content-Type' => 'application/json; charset=utf-8',
-			'Content-Security-Policy' => "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self'",
+			'Content-Security-Policy' => "default-src 'none';base-uri 'none';manifest-src 'self'",
 		];
 
 		$response = $this->controller->customDataResponse(array('hi'));
diff --git a/tests/lib/AppFramework/Http/DataResponseTest.php b/tests/lib/AppFramework/Http/DataResponseTest.php
index 67ffdde8669e8fee86c5b38d2d31e40fb7237b3d..e0eca83f6e9d5d066ea0fb3ac217347672a4240f 100644
--- a/tests/lib/AppFramework/Http/DataResponseTest.php
+++ b/tests/lib/AppFramework/Http/DataResponseTest.php
@@ -68,7 +68,7 @@ class DataResponseTest extends \Test\TestCase {
 
 		$expectedHeaders = [
 			'Cache-Control' => 'no-cache, no-store, must-revalidate',
-			'Content-Security-Policy' => "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self'",
+			'Content-Security-Policy' => "default-src 'none';base-uri 'none';manifest-src 'self'",
 		];
 		$expectedHeaders = array_merge($expectedHeaders, $headers);
 
diff --git a/tests/lib/AppFramework/Http/ResponseTest.php b/tests/lib/AppFramework/Http/ResponseTest.php
index 18a9a398f72531125216c06e9e0494af8cede10a..e840111db1945a616c24934c025b13537fe74bee 100644
--- a/tests/lib/AppFramework/Http/ResponseTest.php
+++ b/tests/lib/AppFramework/Http/ResponseTest.php
@@ -59,7 +59,7 @@ class ResponseTest extends \Test\TestCase {
 
 		$this->childResponse->setHeaders($expected);
 		$headers = $this->childResponse->getHeaders();
-		$expected['Content-Security-Policy'] = "default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self'";
+		$expected['Content-Security-Policy'] = "default-src 'none';base-uri 'none';manifest-src 'self'";
 
 		$this->assertEquals($expected, $headers);
 	}
@@ -86,7 +86,7 @@ class ResponseTest extends \Test\TestCase {
 	}
 
 	public function testGetCspEmpty() {
-		$this->assertNull($this->childResponse->getContentSecurityPolicy());
+		$this->assertEquals(new Http\EmptyContentSecurityPolicy(), $this->childResponse->getContentSecurityPolicy());
 	}
 
 	public function testAddHeaderValueNullDeletesIt(){