Add nonce also to legacy CSP

[LukasReschke]

Pages that do not use the AppFramework have its CSP inherited from \OC_Response::addSecurityHeaders. While those are not many anymore, there are some examples such as the "Help" page.

To stay completely backwards-compatible we should also add the nonce to the legacy CSP response.

To test that open your browser console and open the help page. Without this you will get a JS error. With this you won't.

Signed-off-by: Lukas Reschke [email protected]

cc @rullzer

[mention-bot]

@LukasReschke, thanks for your PR! By analyzing the history of the files in this pull request, we identified @DeepDiver1975, @bartv2 and @bantu to be potential reviewers.

[nickvergessen]

Works after fixing Chromium being identified as Chrome to make use of the feature.
Pushed it to this branch after talking to lukas

👍

[LukasReschke]

Thanks, @nickvergessen 🚀

[codecov-io]

Current coverage is 57.18% (diff: 0.00%)

Merging #1920 into master will decrease coverage by 0.16%

@@             master      #1920   diff @@
==========================================
  Files          1078       1078          
  Lines         61498      61701   +203   
  Methods        6875       6900    +25   
  Messages          0          0          
  Branches          0          0          
==========================================
+ Hits          35266      35282    +16   
- Misses        26232      26419   +187   
  Partials          0          0          

Diff Coverage	File Path
0%	...e/Security/CSP/ContentSecurityPolicyNonceManager.php
0%	lib/private/legacy/response.php
•••••••••• 100%	lib/private/AppFramework/Http/Request.php

Powered by Codecov. Last update a973c1b...c20ab00

[rullzer]

yes LGTM!