Content Security and Permission Policies - use csp_nonce for inline s…

…cripts
gip-inclusion · Sep 21, 2023 · 4efcc19 · 4efcc19
1 parent 6adebc6
commit 4efcc19
Show file tree

Hide file tree

Showing 4 changed files with 7 additions and 5 deletions.
diff --git a/lacommunaute/templates/forum_conversation/partials/topic_likes.html b/lacommunaute/templates/forum_conversation/partials/topic_likes.html
@@ -22,6 +22,6 @@
     {% endwith %}
 </div>
 
-<script>
+<script nonce="{{ request.csp_nonce }}">
     document.activeElement?.blur();
 </script>
diff --git a/lacommunaute/templates/layouts/base.html b/lacommunaute/templates/layouts/base.html
@@ -13,6 +13,8 @@
             <meta name="keywords" content="{% block meta_keywords %}{% endblock meta_keywords %}">
             <meta name="viewport" content="width=device-width, initial-scale=1">
 
+            <meta name="htmx-config" content='{"inlineScriptNonce":"{{ request.csp_nonce }}"}'>
+
             <!-- https://metatags.io Open Graph -->
             <meta property="og:locale" content="fr_FR">
             <meta property="og:type" content="website">
@@ -103,7 +105,7 @@
         {% block js %}
             {% import_static_JS_theme_inclusion %}
             <script src="{% static 'machina/build/js/machina.min.js' %}" type="text/javascript" charset="utf-8"></script>
-            <script type="text/javascript">
+            <script type="text/javascript" nonce="{{ request.csp_nonce }}">
                 $(function() {
                     machina.init();
                     {% block onbodyload %}{% endblock onbodyload %}
@@ -113,7 +115,7 @@
 
         {% block extra_js %}
             <script src="{% static "vendor/tarteaucitron.js-1.11.0/tarteaucitron.js" %}"></script>
-            <script>
+            <script nonce="{{ request.csp_nonce }}">
                 // Tarteaucitron's language is set according to the browser configuration
                 // but a lot of users don't know how to change it.
                 // This can be forced only by using a global `var` statement.

diff --git a/lacommunaute/templates/pages/home.html b/lacommunaute/templates/pages/home.html
@@ -135,7 +135,7 @@ <h3 class="m-0">
 {% block extra_js %}
     {{ block.super }}
     <script async src="https://tally.so/widgets/embed.js"></script>
-    <script defer>
+    <script defer nonce="{{ request.csp_nonce }}">
         // Any given Tally popup will not be shown more than once every `minDaysBetweenDisplays` days.
         const minDaysBetweenDisplays = 14;
         const delayBeforeShowingPopupInSeconds = 45;

diff --git a/lacommunaute/templates/pages/statistiques.html b/lacommunaute/templates/pages/statistiques.html
@@ -88,7 +88,7 @@ <h2>Vue quotidienne</h2>
 {% block extra_js %}
     {{ block.super }}
     <script src="https://cdn.jsdelivr.net/npm/[email protected]"></script>
-    <script>
+    <script nonce="{{ request.csp_nonce }}">
         const ctx_stats = document.getElementById('statChart');
         new Chart(ctx_stats, {
             type: 'line',