From 9f1e9f1899a845f1b5c8ee8dbe8a1352072c415f Mon Sep 17 00:00:00 2001 From: the-djmaze <> Date: Sun, 13 Nov 2022 19:41:23 +0100 Subject: [PATCH] Bugfix: Nextcloud ContentSecurityPolicy versions issue --- .../snappymail/lib/ContentSecurityPolicy.php | 20 +++++++++++++++---- .../lib/Controller/PageController.php | 9 +-------- 2 files changed, 17 insertions(+), 12 deletions(-) diff --git a/integrations/nextcloud/snappymail/lib/ContentSecurityPolicy.php b/integrations/nextcloud/snappymail/lib/ContentSecurityPolicy.php index 9ecf8e121..cc2f7f6d9 100644 --- a/integrations/nextcloud/snappymail/lib/ContentSecurityPolicy.php +++ b/integrations/nextcloud/snappymail/lib/ContentSecurityPolicy.php @@ -9,7 +9,7 @@ class ContentSecurityPolicy extends \OCP\AppFramework\Http\ContentSecurityPolicy /** @var bool Whether eval in JS scripts is allowed */ protected $evalScriptAllowed = true; /** @var bool Whether strict-dynamic should be set */ - protected $strictDynamicAllowed = true; // NC24+ +// protected $strictDynamicAllowed = true; // NC24+ /** @var bool Whether inline CSS is allowed */ protected $inlineStyleAllowed = true; @@ -21,9 +21,9 @@ class ContentSecurityPolicy extends \OCP\AppFramework\Http\ContentSecurityPolicy $CSP->script )); $this->allowedScriptDomains = \array_diff($this->allowedScriptDomains, ["'unsafe-inline'", "'unsafe-eval'"]); - if (\method_exists($this, 'useStrictDynamic')) { - $this->allowedScriptDomains = \array_diff($this->allowedScriptDomains, ["'strict-dynamic'"]); - } + \method_exists($this, 'useStrictDynamic') + ? $this->useStrictDynamic(true) // NC24+ + : $this->addAllowedScriptDomain("'strict-dynamic'"); $this->allowedImageDomains = \array_unique(\array_merge( $this->allowedImageDomains, @@ -47,4 +47,16 @@ class ContentSecurityPolicy extends \OCP\AppFramework\Http\ContentSecurityPolicy )); } + public function getSnappyMailNonce() { + static $sNonce; + if (!$sNonce) { + $cspManager = \OC::$server->getContentSecurityPolicyNonceManager(); + $sNonce = $cspManager->getNonce() ?: \SnappyMail\UUID::generate(); + if (\method_exists($cspManager, 'browserSupportsCspV3') && !$cspManager->browserSupportsCspV3()) { + $this->addAllowedScriptDomain("'nonce-{$sNonce}'"); + } + } + return $sNonce; + } + } diff --git a/integrations/nextcloud/snappymail/lib/Controller/PageController.php b/integrations/nextcloud/snappymail/lib/Controller/PageController.php index a3d49b78e..f64b53fea 100644 --- a/integrations/nextcloud/snappymail/lib/Controller/PageController.php +++ b/integrations/nextcloud/snappymail/lib/Controller/PageController.php @@ -55,15 +55,8 @@ class PageController extends Controller $sAppCssMin = $oConfig->Get('labs', 'use_app_debug_css', false) ? '' : '.min'; $sLanguage = $oActions->GetLanguage(false); - $cspManager = \OC::$server->getContentSecurityPolicyNonceManager(); - $sNonce = $cspManager->getNonce() ?: \SnappyMail\UUID::generate(); $csp = new ContentSecurityPolicy(); - if (\method_exists($cspManager, 'browserSupportsCspV3') && !$cspManager->browserSupportsCspV3()) { - $csp->addAllowedScriptDomain("'nonce-{$sNonce}'"); - } - \method_exists($csp, 'useStrictDynamic') - ? $csp->useStrictDynamic(true) // NC24+ - : $csp->addAllowedScriptDomain("'strict-dynamic'"); + $sNonce = $csp->getSnappyMailNonce(); $params = [ 'Admin' => $bAdmin ? 1 : 0,