From 16cbca8ad14d7e4bdef184a2448c64967fbdd705 Mon Sep 17 00:00:00 2001
From: Ilja Neumann <node512@gmail.com>
Date: Wed, 19 Feb 2020 16:20:09 +0100
Subject: [PATCH] Set CSP-Nonce #17

As we overwrite kopano-index handler to serve index from vfs, we need to do this manually.
---
 changelog/unreleased/set-csp-nonce.md | 4 ++++
 go.mod                                | 3 ++-
 pkg/service/v0/service.go             | 5 ++++-
 3 files changed, 10 insertions(+), 2 deletions(-)
 create mode 100644 changelog/unreleased/set-csp-nonce.md

diff --git a/changelog/unreleased/set-csp-nonce.md b/changelog/unreleased/set-csp-nonce.md
new file mode 100644
index 0000000000..2f8f0729ae
--- /dev/null
+++ b/changelog/unreleased/set-csp-nonce.md
@@ -0,0 +1,4 @@
+Bugfix: Generate a random CSP-Nonce in the webapp
+
+https://github.com/owncloud/ocis-konnectd/issues/17
+https://github.com/owncloud/ocis-konnectd/pull/29
diff --git a/go.mod b/go.mod
index 6f997642c2..191868ccc9 100644
--- a/go.mod
+++ b/go.mod
@@ -19,7 +19,8 @@ require (
 	github.com/spf13/viper v1.6.1
 	go.opencensus.io v0.22.2
 	golang.org/x/net v0.0.0-20200114155413-6afb5195e5aa
-	stash.kopano.io/kc/konnect v0.28.0
+	stash.kopano.io/kc/konnect v0.28.1
+	stash.kopano.io/kgol/rndm v1.1.0
 )
 
 replace stash.kopano.io/kc/konnect => github.com/IljaN/konnect v0.29.0-alpha2
diff --git a/pkg/service/v0/service.go b/pkg/service/v0/service.go
index ed3f8a8715..e9c7b789a5 100644
--- a/pkg/service/v0/service.go
+++ b/pkg/service/v0/service.go
@@ -18,6 +18,7 @@ import (
 	"stash.kopano.io/kc/konnect/bootstrap"
 	kcconfig "stash.kopano.io/kc/konnect/config"
 	"stash.kopano.io/kc/konnect/server"
+	"stash.kopano.io/kgol/rndm"
 )
 
 // Service defines the extension handlers.
@@ -212,9 +213,11 @@ func (k Konnectd) Index() http.HandlerFunc {
 
 	// TODO add environment variable to make the path prefix configurable
 	pp := "/signin/v1"
-
 	indexHTML := bytes.Replace(template, []byte("__PATH_PREFIX__"), []byte(pp), 1)
 
+	nonce := rndm.GenerateRandomString(32)
+	indexHTML = bytes.Replace(indexHTML, []byte("__CSP_NONCE__"), []byte(nonce), 1)
+
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		w.WriteHeader(http.StatusOK)
 		w.Write(indexHTML)