[Bug]: browserSupportsCspV3() returns false which is bad

[the-djmaze]

⚠️ This issue respects the following points: ⚠️

• This is a bug, not a question or a configuration/webserver/proxy issue.
• This issue is not already reported on Github (I've searched it).
• Nextcloud Server is up to date. See Maintenance and Release Schedule for supported versions.
• Nextcloud Server is running on 64bit capable CPU, PHP and OS.
• I agree to follow Nextcloud's Code of Conduct.

Bug description

browserSupportsCspV3() should always return TRUE and never do browser sniffing in any way.
It's terrible and indeed now bites again.

My Nextcloud app fails in Microsoft Edge AND iOS while both work fine with CSP Level 3 (just like many other browsers and TOR, but you return false).

Because browserSupportsCspV3() returns false, the nonce isn't working.

Just remove the check as CSP Level 1 & 2 browsers are ancient.

Expected behavior

browserSupportsCspV3() always return true

Additional info

server/lib/private/Security/CSP/ContentSecurityPolicyNonceManager.php

Line 80 in 0dabc6a

public function browserSupportsCspV3(): bool {

iOS 16 the-djmaze/snappymail#631
Microsoft Edge the-djmaze/snappymail#633
firefox-esr the-djmaze/snappymail#634

https://caniuse.com/?search=Nonce
https://caniuse.com/?search=strict-dynamic

TL;DR

Here a good read about strict-dynamic
https://content-security-policy.com/strict-dynamic/

And being an annoying evangelist :)
https://www.sitepoint.com/why-browser-sniffing-stinks/
https://stackoverflow.com/questions/661213/why-is-browser-sniffing-not-a-recommended-practice
https://css-tricks.com/browser-detection-is-bad/

Request::USER_AGENT_*

There are probably more locations where these are used, but i didn't check them.

[joshtrichards]

Related: #10207

This behavior has since been changed: #44412 (in v29)