From ba0ab41ca008cc99b304bc9f255a98f39428de53 Mon Sep 17 00:00:00 2001
From: Pablo Zmdl <pablo@nextcloud.com>
Date: Tue, 29 Oct 2024 17:39:59 +0100
Subject: [PATCH] Add additional CSP header values only if present

If people write a lax default CSP they might set the additional config
option to the blank string, or false. Then the CSP header should not
contain that value.
---
 program/include/rcmail_output_html.php | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/program/include/rcmail_output_html.php b/program/include/rcmail_output_html.php
index 6dc08225931..2bf661912fc 100644
--- a/program/include/rcmail_output_html.php
+++ b/program/include/rcmail_output_html.php
@@ -2731,7 +2731,9 @@ protected function add_csp_header(): void
             $csp_header = "Content-Security-Policy: {$csp}";
             if (isset($this->env['safemode']) && $this->env['safemode'] === true) {
                 $csp_allow_remote = $this->get_csp_value('content_security_policy_add_allow_remote');
-                $csp_header .= "; {$csp_allow_remote}";
+                if (!in_array($csp_allow_remote, ['', false, 'false', null])) {
+                    $csp_header .= "; {$csp_allow_remote}";
+                }
             }
             $this->header($csp_header);
         }