diff --git a/lib/private/AppFramework/Middleware/Security/SecurityMiddleware.php b/lib/private/AppFramework/Middleware/Security/SecurityMiddleware.php
index 3bfef2df02..5e253d0954 100644
--- a/lib/private/AppFramework/Middleware/Security/SecurityMiddleware.php
+++ b/lib/private/AppFramework/Middleware/Security/SecurityMiddleware.php
@@ -37,6 +37,7 @@ use OC\AppFramework\Middleware\Security\Exceptions\StrictCookieMissingException;
 use OC\AppFramework\Utility\ControllerMethodReflector;
 use OC\Security\CSP\ContentSecurityPolicyManager;
 use OCP\AppFramework\Http\ContentSecurityPolicy;
+use OCP\AppFramework\Http\EmptyContentSecurityPolicy;
 use OCP\AppFramework\Http\RedirectResponse;
 use OCP\AppFramework\Http\TemplateResponse;
 use OCP\AppFramework\Middleware;
@@ -182,6 +183,10 @@ class SecurityMiddleware extends Middleware {
 	public function afterController($controller, $methodName, Response $response) {
 		$policy = !is_null($response->getContentSecurityPolicy()) ? $response->getContentSecurityPolicy() : new ContentSecurityPolicy();
 
+		if (get_class($policy) === EmptyContentSecurityPolicy::class) {
+			return $response;
+		}
+
 		$defaultPolicy = $this->contentSecurityPolicyManager->getDefaultPolicy();
 		$defaultPolicy = $this->contentSecurityPolicyManager->mergePolicies($defaultPolicy, $policy);
 
diff --git a/lib/private/AppFramework/OCS/BaseResponse.php b/lib/private/AppFramework/OCS/BaseResponse.php
index fa22498ac0..59b8660a38 100644
--- a/lib/private/AppFramework/OCS/BaseResponse.php
+++ b/lib/private/AppFramework/OCS/BaseResponse.php
@@ -23,6 +23,7 @@
 namespace OC\AppFramework\OCS;
 
 use OCP\AppFramework\Http\DataResponse;
+use OCP\AppFramework\Http\EmptyContentSecurityPolicy;
 use OCP\AppFramework\Http\Response;
 
 abstract class BaseResponse extends Response   {
@@ -67,7 +68,7 @@ abstract class BaseResponse extends Response   {
 		$this->setETag($dataResponse->getETag());
 		$this->setLastModified($dataResponse->getLastModified());
 		$this->setCookies($dataResponse->getCookies());
-		$this->setContentSecurityPolicy($dataResponse->getContentSecurityPolicy());
+		$this->setContentSecurityPolicy(new EmptyContentSecurityPolicy());
 
 		if ($format === 'json') {
 			$this->addHeader(
diff --git a/lib/public/AppFramework/Http/Response.php b/lib/public/AppFramework/Http/Response.php
index 0b162b453a..8591d6abc6 100644
--- a/lib/public/AppFramework/Http/Response.php
+++ b/lib/public/AppFramework/Http/Response.php
@@ -248,18 +248,18 @@ class Response {
 
 	/**
 	 * Set a Content-Security-Policy
-	 * @param ContentSecurityPolicy $csp Policy to set for the response object
+	 * @param EmptyContentSecurityPolicy $csp Policy to set for the response object
 	 * @return $this
 	 * @since 8.1.0
 	 */
-	public function setContentSecurityPolicy(ContentSecurityPolicy $csp) {
+	public function setContentSecurityPolicy(EmptyContentSecurityPolicy $csp) {
 		$this->contentSecurityPolicy = $csp;
 		return $this;
 	}
 
 	/**
 	 * Get the currently used Content-Security-Policy
-	 * @return ContentSecurityPolicy|null Used Content-Security-Policy or null if
+	 * @return EmptyContentSecurityPolicy|null Used Content-Security-Policy or null if
 	 *                                    none specified.
 	 * @since 8.1.0
 	 */