Merge pull request #44412 from nextcloud/fix/add-csp-nonce-by-default

fix(CSP): Add CSP nonce by default and convert `browserSupportsCspV3` to blacklist
nextcloud · Mar 26, 2024 · 0cb691d · 0cb691d
2 parents 42f4e6a + 5a513c9
commit 0cb691d
Showing 1 changed file with 5 additions and 8 deletions.
diff --git a/lib/private/Security/CSP/ContentSecurityPolicyNonceManager.php b/lib/private/Security/CSP/ContentSecurityPolicyNonceManager.php
@@ -65,17 +65,14 @@ public function getNonce(): string {
 	 * Check if the browser supports CSP v3
 	 */
 	public function browserSupportsCspV3(): bool {
-		$browserWhitelist = [
-			Request::USER_AGENT_CHROME,
-			Request::USER_AGENT_FIREFOX,
-			Request::USER_AGENT_SAFARI,
-			Request::USER_AGENT_MS_EDGE,
+		$browserBlocklist = [
+			Request::USER_AGENT_IE,
 		];
 
-		if ($this->request->isUserAgent($browserWhitelist)) {
-			return true;
+		if ($this->request->isUserAgent($browserBlocklist)) {
+			return false;
 		}
 
-		return false;
+		return true;
 	}
 }