Merge pull request #14724 from nextcloud/enh/nonce_for_iframes

CSP: set nonce for iframes
2019-03-18 16:17:18 +01:00 · 2019-03-18 16:17:18 +01:00 · 458359563b
parent 4824d278f9 4d8e1f6c67
commit 458359563b
1 changed files with 5 additions and 1 deletions
--- a/lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php
+++ b/lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php
@ -468,7 +468,11 @@ class EmptyContentSecurityPolicy {
 		}
 		if(!empty($this->allowedFrameDomains)) {
-			$policy .= 'frame-src ' . implode(' ', $this->allowedFrameDomains);
+			$policy .= 'frame-src ';
 			if(is_string($this->useJsNonce)) {
 				$policy .= '\'nonce-' . base64_encode($this->useJsNonce) . '\' ';
 			}
 			$policy .= implode(' ', $this->allowedFrameDomains);
 			$policy .= ';';
 		}