wbrawner/server
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

CSP: set nonce for iframes

Browse source 
This for now uses the jsNonce. That way we can easily backport it.
For 17 I will fix it properly.

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
This commit is contained in:
Roeland Jago Douma 2019-03-16 20:19:43 +01:00
parent f8988c257c
commit 4d8e1f6c67
No known key found for this signature in database
GPG key ID: F941078878347C0C
1 changed files with 5 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php
View file

@ -468,7 +468,11 @@ class EmptyContentSecurityPolicy {
} }
if(!empty($this->allowedFrameDomains)) { if(!empty($this->allowedFrameDomains)) {
$policy .= 'frame-src ' . implode(' ', $this->allowedFrameDomains); $policy .= 'frame-src ';
if(is_string($this->useJsNonce)) {
$policy .= '\'nonce-' . base64_encode($this->useJsNonce) . '\' ';
}
$policy .= implode(' ', $this->allowedFrameDomains);
$policy .= ';'; $policy .= ';';
} }