Don't add nonce to CSP if unsafe-inline is on

literalplus · literalplus · commit d51da8c12c24 · 2017-10-22T00:03:46.000+02:00
Browsers ignore unsafe-inline if a nonce is sent
diff --git a/app.js b/app.js
@@ -171,7 +171,9 @@ if (config.csp.enable) {
       )
     }
   }
-  directives.scriptSrc.push(getCspNonce)
+  if (directives.scriptSrc.indexOf('\'unsafe-inline\'') === -1) {
+    directives.scriptSrc.push(getCspNonce)
+  }
   directives.connectSrc.push(getCspWebSocketUrl)
   if (config.csp.upgradeInsecureRequests === 'auto') {
     directives.upgradeInsecureRequests = config.usessl === 'true'

Original file line number	Diff line number	Diff line change
`@@ -171,7 +171,9 @@ if (config.csp.enable) {`
`171`	`171`	`)`
`172`	`172`	`}`
`173`	`173`	`}`
`174`		`- directives.scriptSrc.push(getCspNonce)`
	`174`	`+ if (directives.scriptSrc.indexOf('\'unsafe-inline\'') === -1) {`
	`175`	`+ directives.scriptSrc.push(getCspNonce)`
	`176`	`+ }`
`175`	`177`	`directives.connectSrc.push(getCspWebSocketUrl)`
`176`	`178`	`if (config.csp.upgradeInsecureRequests === 'auto') {`
`177`	`179`	`directives.upgradeInsecureRequests = config.usessl === 'true'`