Add nonce to embedded script references.

rouilj · rouilj · commit 5f9c23bb0d52 · 2017-03-23T21:08:30.000-04:00
This should allow these scripts to execute with a nonce-.... content security policy (csp). However there is still a lot of inline javascript that a web developer needs to look at and rewrite the inline javascript (onsubmit, onclick ..) to be applied by a nonce authorized javascript library that adds event listeners. Ref: https://csp.withgoogle.com/docs/adopting-csp.html#refactor-inline-event-handlers-and-javascript-uris
diff --git a/roundup/cgi/KeywordsExpr.py b/roundup/cgi/KeywordsExpr.py
@@ -5,7 +5,7 @@
 <h3>Keyword Expression Editor:</h3>
 <hr/>
 <div id="content"></div>
-<script type="text/javascript">
+<script nonce="%(nonce)s" type="text/javascript">
 <!--
 
 var NOT_OP = "-2";
@@ -265,7 +265,8 @@ def render_keywords_expression_editor(request):
     window_content = WINDOW_CONTENT % {
         'prop'    : prop,
         'keywords': items_to_keywords(list_nodes(request)),
-        'original': ''
+        'original': '',
+        'nonce': request.client.client_nonce
     }
 
     return window_content
diff --git a/roundup/cgi/actions.py b/roundup/cgi/actions.py
@@ -998,9 +998,10 @@ def finishRego(self):
         # to want to reload the page, or something)
         return '''<html><head><title>%s</title></head>
             <body><p><a href="%s">%s</a></p>
-            <script type="text/javascript">
+            <script nonce="%s" type="text/javascript">
             window.setTimeout('window.location = "%s"', 1000);
-            </script>'''%(message, url, message, url)
+            </script>'''%(message, url, message,
+                          self.client.client_nonce, url)
 
 class ConfRegoAction(RegoCommon):
     def handle(self):
diff --git a/roundup/cgi/templating.py b/roundup/cgi/templating.py
@@ -2904,7 +2904,7 @@ def indexargs_url(self, url, args):
 
     def base_javascript(self):
         return """
-<script type="text/javascript">
+<script nonce="%s" type="text/javascript">
 submitted = false;
 function submit_once() {
     if (submitted) {
@@ -2920,7 +2920,7 @@ def base_javascript(self):
     HelpWin.focus ()
 }
 </script>
-"""%self.base
+"""%(self._client.client_nonce,self.base)
 
     def batch(self, permission='View'):
         """ Return a batch object for results from the "current search"
