Don't add nonce to CSP if unsafe-inline is on

Browsers ignore unsafe-inline if a nonce is sent
2017-10-21 00:46:53 +02:00
parent 91101c856c
commit d51da8c12c
1 changed files with 3 additions and 1 deletions
--- a/app.js
+++ b/app.js
@@ -171,7 +171,9 @@ if (config.csp.enable) {
      )
    }
  }
-  directives.scriptSrc.push(getCspNonce)
+  if (directives.scriptSrc.indexOf('\'unsafe-inline\'') === -1) {
+    directives.scriptSrc.push(getCspNonce)
+  }
  directives.connectSrc.push(getCspWebSocketUrl)
  if (config.csp.upgradeInsecureRequests === 'auto') {
    directives.upgradeInsecureRequests = config.usessl === 'true'