From fdcb8edd78c645e722716fec1d12fa8fac750553 Mon Sep 17 00:00:00 2001
From: Lukas Reschke <lukas@statuscode.ch>
Date: Wed, 26 Oct 2016 09:41:18 +0200
Subject: [PATCH] Add nonce also to legacy CSP

Pages that do not use the AppFramework have its CSP inherited from `\OC_Response::addSecurityHeaders`. While those are not many anymore, there are some examples such as the "Help" page.

To stay completely backwards-compatible we should also add the nonce to the legacy CSP response.

To test that open your browser console and open the help page. Without this you will get a JS error. With this you won't.

Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
---
 lib/private/legacy/response.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/private/legacy/response.php b/lib/private/legacy/response.php
index 88725d5e30b..69c84e2df68 100644
--- a/lib/private/legacy/response.php
+++ b/lib/private/legacy/response.php
@@ -247,7 +247,7 @@ class OC_Response {
 		 * @see \OCP\AppFramework\Http\Response::getHeaders
 		 */
 		$policy = 'default-src \'self\'; '
-			. 'script-src \'self\' \'unsafe-eval\'; '
+			. 'script-src \'self\' \'unsafe-eval\' \'nonce-'.\OC::$server->getContentSecurityPolicyNonceManager()->getNonce().'\'; '
 			. 'style-src \'self\' \'unsafe-inline\'; '
 			. 'frame-src *; '
 			. 'img-src * data: blob:; '
-- 
GitLab