depau/HackMD
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Don't add nonce to CSP if unsafe-inline is on

Browse source 
Browsers ignore unsafe-inline if a nonce is sent
This commit is contained in:
Literallie 2017-10-21 00:46:53 +02:00
parent 91101c856c
commit d51da8c12c
No known key found for this signature in database
GPG key ID: 7BE463C902ED152C
1 changed files with 3 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
app.js
View file

@ -171,7 +171,9 @@ if (config.csp.enable) {
)
}
}
directives.scriptSrc.push(getCspNonce)
if (directives.scriptSrc.indexOf('\'unsafe-inline\'') === -1) {
directives.scriptSrc.push(getCspNonce)
}
directives.connectSrc.push(getCspWebSocketUrl)
if (config.csp.upgradeInsecureRequests === 'auto') {
directives.upgradeInsecureRequests = config.usessl === 'true'