Don't add nonce to CSP if unsafe-inline is on

Browsers ignore unsafe-inline if a nonce is sent
This commit is contained in:
Literallie 2017-10-21 00:46:53 +02:00
parent 91101c856c
commit d51da8c12c
No known key found for this signature in database
GPG key ID: 7BE463C902ED152C

4
app.js
View file

@ -171,7 +171,9 @@ if (config.csp.enable) {
)
}
}
directives.scriptSrc.push(getCspNonce)
if (directives.scriptSrc.indexOf('\'unsafe-inline\'') === -1) {
directives.scriptSrc.push(getCspNonce)
}
directives.connectSrc.push(getCspWebSocketUrl)
if (config.csp.upgradeInsecureRequests === 'auto') {
directives.upgradeInsecureRequests = config.usessl === 'true'