From d8c2da09d17c5e279175f851560569605fc03031 Mon Sep 17 00:00:00 2001
From: Thibaut Courouble <thibaut@me.com>
Date: Sat, 4 Jun 2016 11:15:30 -0400
Subject: [PATCH] Ban inline scripts in CSP

---
 assets/javascripts/views/pages/jquery.coffee | 3 ++-
 lib/app.rb                                   | 4 ++--
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/assets/javascripts/views/pages/jquery.coffee b/assets/javascripts/views/pages/jquery.coffee
index 723a13f4..a8d6cd1f 100644
--- a/assets/javascripts/views/pages/jquery.coffee
+++ b/assets/javascripts/views/pages/jquery.coffee
@@ -45,7 +45,7 @@ class app.views.JqueryPage extends app.views.BasePage
 
   fixIframeSource: (source) ->
     source = source.replace '"/resources/', '"https://api.jquery.com/resources/' # attr(), keydown()
-    source.replace '</head>', """
+    source = source.replace '</head>', """
       <style>
         html, body { border: 0; margin: 0; padding: 0; }
         body { font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; }
@@ -60,3 +60,4 @@ class app.views.JqueryPage extends app.views.BasePage
       </script>
       </head>
     """
+    source.replace /<script>/gi, '<script nonce="devdocs">'
diff --git a/lib/app.rb b/lib/app.rb
index d1856fad..64e3bdd2 100644
--- a/lib/app.rb
+++ b/lib/app.rb
@@ -67,13 +67,13 @@ class App < Sinatra::Application
     BetterErrors.application_root = File.expand_path('..', __FILE__)
     BetterErrors.editor = :sublime
 
-    set :csp, "default-src 'self' *; script-src 'self' 'unsafe-inline' *; font-src data:; style-src 'self' 'unsafe-inline' *; img-src 'self' * data:;"
+    set :csp, "default-src 'self' *; script-src 'self' 'nonce-devdocs' *; font-src data:; style-src 'self' 'unsafe-inline' *; img-src 'self' * data:;"
   end
 
   configure :production do
     set :static, false
     set :docs_host, '//docs.devdocs.io'
-    set :csp, "default-src 'self' *; script-src 'self' 'unsafe-inline' http://cdn.devdocs.io https://cdn.devdocs.io https://www.google-analytics.com https://secure.gaug.es http://*.jquery.com https://*.jquery.com; font-src data:; style-src 'self' 'unsafe-inline' *; img-src 'self' * data:;"
+    set :csp, "default-src 'self' *; script-src 'self' http://cdn.devdocs.io https://cdn.devdocs.io https://www.google-analytics.com https://secure.gaug.es http://*.jquery.com https://*.jquery.com; font-src data:; style-src 'self' 'unsafe-inline' *; img-src 'self' * data:;"
 
     use Rack::ConditionalGet
     use Rack::ETag