Don't add nonce to CSP if unsafe-inline is on

Browsers ignore unsafe-inline if a nonce is sent
author: Literallie 2017-10-21 00:46:53 +0200
committer: Literallie 2017-10-22 00:03:46 +0200
commit: d51da8c12c2446d081eaa7f32406941b09142c1c (patch)
tree: 7e824f87c2b80e3434e93873bb904db7a51d1a66 /app.js
parent: 91101c856c3efac53e8a4db4cc537b77370aa7df (diff)
1 files changed, 3 insertions, 1 deletions
diff --git a/app.js b/app.js
index 01ecc84c..8664707d 100644
--- a/app.js
+++ b/app.js
@@ -171,7 +171,9 @@ if (config.csp.enable) {
       )
     }
   }
-  directives.scriptSrc.push(getCspNonce)
+  if (directives.scriptSrc.indexOf('\'unsafe-inline\'') === -1) {
+    directives.scriptSrc.push(getCspNonce)
+  }
   directives.connectSrc.push(getCspWebSocketUrl)
   if (config.csp.upgradeInsecureRequests === 'auto') {
     directives.upgradeInsecureRequests = config.usessl === 'true'
author	Literallie	2017-10-21 00:46:53 +0200
committer	Literallie	2017-10-22 00:03:46 +0200
commit	d51da8c12c2446d081eaa7f32406941b09142c1c (patch)
tree	7e824f87c2b80e3434e93873bb904db7a51d1a66 /app.js
parent	91101c856c3efac53e8a4db4cc537b77370aa7df (diff)