diff --git a/tests/lib/AppFramework/Controller/OCSControllerTest.php b/tests/lib/AppFramework/Controller/OCSControllerTest.php
index c1f8e4a657..0d379a8822 100644
--- a/tests/lib/AppFramework/Controller/OCSControllerTest.php
+++ b/tests/lib/AppFramework/Controller/OCSControllerTest.php
@@ -26,6 +26,7 @@ namespace Test\AppFramework\Controller;
 
 use OC\AppFramework\Http\Request;
 use OCP\AppFramework\Http\DataResponse;
+use OCP\AppFramework\Http\EmptyContentSecurityPolicy;
 use OCP\AppFramework\OCSController;
 use OCP\IConfig;
 use OCP\Security\ISecureRandom;
@@ -92,8 +93,9 @@ class OCSControllerTest extends \Test\TestCase {
 
 		$params = new DataResponse(['test' => 'hi']);
 
-		$out = $controller->buildResponse($params, 'xml')->render();
-		$this->assertEquals($expected, $out);
+		$response = $controller->buildResponse($params, 'xml');
+		$this->assertSame(EmptyContentSecurityPolicy::class, get_class($response->getContentSecurityPolicy()));
+		$this->assertEquals($expected, $response->render());
 	}
 
 	public function testJSON() {
@@ -111,8 +113,10 @@ class OCSControllerTest extends \Test\TestCase {
 		            '"totalitems":"","itemsperpage":""},"data":{"test":"hi"}}}';
 		$params = new DataResponse(['test' => 'hi']);
 
-		$out = $controller->buildResponse($params, 'json')->render();
-		$this->assertEquals($expected, $out);
+		$response = $controller->buildResponse($params, 'json');
+		$this->assertSame(EmptyContentSecurityPolicy::class, get_class($response->getContentSecurityPolicy()));
+		$this->assertEquals($expected, $response->render());
+		$this->assertEquals($expected, $response->render());
 	}
 
 	public function testXMLV2() {
@@ -141,8 +145,9 @@ class OCSControllerTest extends \Test\TestCase {
 
 		$params = new DataResponse(['test' => 'hi']);
 
-		$out = $controller->buildResponse($params, 'xml')->render();
-		$this->assertEquals($expected, $out);
+		$response = $controller->buildResponse($params, 'xml');
+		$this->assertSame(EmptyContentSecurityPolicy::class, get_class($response->getContentSecurityPolicy()));
+		$this->assertEquals($expected, $response->render());
 	}
 
 	public function testJSONV2() {
@@ -159,7 +164,8 @@ class OCSControllerTest extends \Test\TestCase {
 		$expected = '{"ocs":{"meta":{"status":"ok","statuscode":200,"message":"OK"},"data":{"test":"hi"}}}';
 		$params = new DataResponse(['test' => 'hi']);
 
-		$out = $controller->buildResponse($params, 'json')->render();
-		$this->assertEquals($expected, $out);
+		$response = $controller->buildResponse($params, 'json');
+		$this->assertSame(EmptyContentSecurityPolicy::class, get_class($response->getContentSecurityPolicy()));
+		$this->assertEquals($expected, $response->render());
 	}
 }
diff --git a/tests/lib/AppFramework/Middleware/Security/SecurityMiddlewareTest.php b/tests/lib/AppFramework/Middleware/Security/SecurityMiddlewareTest.php
index bfd810bc6b..55bf3e46e0 100644
--- a/tests/lib/AppFramework/Middleware/Security/SecurityMiddlewareTest.php
+++ b/tests/lib/AppFramework/Middleware/Security/SecurityMiddlewareTest.php
@@ -37,13 +37,17 @@ use OC\AppFramework\Utility\ControllerMethodReflector;
 use OC\Security\CSP\ContentSecurityPolicy;
 use OC\Security\CSP\ContentSecurityPolicyManager;
 use OCP\AppFramework\Controller;
+use OCP\AppFramework\Http\EmptyContentSecurityPolicy;
 use OCP\AppFramework\Http\RedirectResponse;
 use OCP\AppFramework\Http\JSONResponse;
+use OCP\AppFramework\Http\Response;
 use OCP\AppFramework\Http\TemplateResponse;
+use OCP\IConfig;
 use OCP\ILogger;
 use OCP\INavigationManager;
 use OCP\IRequest;
 use OCP\IURLGenerator;
+use OCP\Security\ISecureRandom;
 
 
 class SecurityMiddlewareTest extends \Test\TestCase {
@@ -72,30 +76,13 @@ class SecurityMiddlewareTest extends \Test\TestCase {
 	protected function setUp() {
 		parent::setUp();
 
-		$this->controller = $this->getMockBuilder('OCP\AppFramework\Controller')
-			->disableOriginalConstructor()
-			->getMock();
+		$this->controller = $this->createMock(Controller::class);
 		$this->reader = new ControllerMethodReflector();
-		$this->logger = $this->getMockBuilder(
-			'OCP\ILogger')
-			->disableOriginalConstructor()
-			->getMock();
-		$this->navigationManager = $this->getMockBuilder(
-			'OCP\INavigationManager')
-			->disableOriginalConstructor()
-			->getMock();
-		$this->urlGenerator = $this->getMockBuilder(
-			'OCP\IURLGenerator')
-			->disableOriginalConstructor()
-			->getMock();
-		$this->request = $this->getMockBuilder(
-			'OCP\IRequest')
-			->disableOriginalConstructor()
-			->getMock();
-		$this->contentSecurityPolicyManager = $this->getMockBuilder(
-			'OC\Security\CSP\ContentSecurityPolicyManager')
-			->disableOriginalConstructor()
-			->getMock();
+		$this->logger = $this->createMock(ILogger::class);
+		$this->navigationManager = $this->createMock(INavigationManager::class);
+		$this->urlGenerator = $this->createMock(IURLGenerator::class);
+		$this->request = $this->createMock(IRequest::class);
+		$this->contentSecurityPolicyManager = $this->createMock(ContentSecurityPolicyManager::class);
 		$this->middleware = $this->getMiddleware(true, true);
 		$this->secException = new SecurityException('hey', false);
 		$this->secAjaxException = new SecurityException('hey', true);
@@ -459,8 +446,8 @@ class SecurityMiddlewareTest extends \Test\TestCase {
 						'REQUEST_URI' => 'owncloud/index.php/apps/specialapp'
 					]
 			],
-			$this->getMockBuilder('\OCP\Security\ISecureRandom')->getMock(),
-			$this->getMockBuilder('\OCP\IConfig')->getMock()
+			$this->createMock(ISecureRandom::class),
+			$this->createMock(IConfig::class)
 		);
 		$this->middleware = $this->getMiddleware(false, false);
 		$this->urlGenerator
@@ -494,8 +481,8 @@ class SecurityMiddlewareTest extends \Test\TestCase {
 					'REQUEST_URI' => 'owncloud/index.php/apps/specialapp',
 				],
 			],
-			$this->getMockBuilder('\OCP\Security\ISecureRandom')->getMock(),
-			$this->getMockBuilder('\OCP\IConfig')->getMock()
+			$this->createMock(ISecureRandom::class),
+			$this->createMock(IConfig::class)
 		);
 
 		$this->middleware = $this->getMiddleware(false, false);
@@ -540,8 +527,8 @@ class SecurityMiddlewareTest extends \Test\TestCase {
 						'REQUEST_URI' => 'owncloud/index.php/apps/specialapp'
 					]
 			],
-			$this->getMockBuilder('\OCP\Security\ISecureRandom')->getMock(),
-			$this->getMockBuilder('\OCP\IConfig')->getMock()
+			$this->createMock(ISecureRandom::class),
+			$this->createMock(IConfig::class)
 		);
 		$this->middleware = $this->getMiddleware(false, false);
 		$this->logger
@@ -566,7 +553,7 @@ class SecurityMiddlewareTest extends \Test\TestCase {
 	}
 
 	public function testAfterController() {
-		$response = $this->getMockBuilder('\OCP\AppFramework\Http\Response')->disableOriginalConstructor()->getMock();
+		$response = $this->createMock(Response::class);
 		$defaultPolicy = new ContentSecurityPolicy();
 		$defaultPolicy->addAllowedImageDomain('defaultpolicy');
 		$currentPolicy = new ContentSecurityPolicy();
@@ -592,4 +579,16 @@ class SecurityMiddlewareTest extends \Test\TestCase {
 
 		$this->middleware->afterController($this->controller, 'test', $response);
 	}
+
+	public function testAfterControllerEmptyCSP() {
+		$response = $this->createMock(Response::class);
+		$emptyPolicy = new EmptyContentSecurityPolicy();
+		$response->expects($this->any())
+			->method('getContentSecurityPolicy')
+			->willReturn($emptyPolicy);
+		$response->expects($this->never())
+			->method('setContentSecurityPolicy');
+
+		$this->middleware->afterController($this->controller, 'test', $response);
+	}
 }