Skip to content

Commit

Permalink
fix: Allow nonce in csp header also if no other reasons are given
Browse files Browse the repository at this point in the history
Signed-off-by: Julius Härtl <[email protected]>
  • Loading branch information
juliusknorr authored and backportbot[bot] committed Mar 8, 2024
1 parent 278d9c3 commit 00dd251
Showing 1 changed file with 3 additions and 3 deletions.
6 changes: 3 additions & 3 deletions lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php
Original file line number Diff line number Diff line change
Expand Up @@ -37,8 +37,8 @@
* @since 9.0.0
*/
class EmptyContentSecurityPolicy {
/** @var string JS nonce to be used */
protected $jsNonce = null;
/** @var ?string JS nonce to be used */
protected ?string $jsNonce = null;
/** @var bool Whether strict-dynamic should be used */
protected $strictDynamicAllowed = null;
/** @var bool Whether strict-dynamic should be used on script-src-elem */
Expand Down Expand Up @@ -460,7 +460,7 @@ public function buildPolicy() {
$policy .= "base-uri 'none';";
$policy .= "manifest-src 'self';";

if (!empty($this->allowedScriptDomains) || $this->evalScriptAllowed || $this->evalWasmAllowed) {
if (!empty($this->allowedScriptDomains) || $this->evalScriptAllowed || $this->evalWasmAllowed || is_string($this->jsNonce)) {
$policy .= 'script-src ';
$scriptSrc = '';
if (is_string($this->jsNonce)) {
Expand Down

0 comments on commit 00dd251

Please sign in to comment.