Merge pull request #14724 from nextcloud/enh/nonce_for_iframes

CSP: set nonce for iframes
2019-03-18 16:17:18 +01:00 · 2019-03-18 16:17:18 +01:00 · 458359563b
commit 458359563b
parent 4824d278f9 4d8e1f6c67
1 changed files with 5 additions and 1 deletions
--- a/lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php
+++ b/lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php
@ -468,7 +468,11 @@ class EmptyContentSecurityPolicy {
 		}

 		if(!empty($this->allowedFrameDomains)) {
-			$policy .= 'frame-src ' . implode(' ', $this->allowedFrameDomains);
+			$policy .= 'frame-src ';
+			if(is_string($this->useJsNonce)) {
+				$policy .= '\'nonce-' . base64_encode($this->useJsNonce) . '\' ';
+			}
+			$policy .= implode(' ', $this->allowedFrameDomains);
 			$policy .= ';';
 		}