CSP: Do not set nonce if unsafe-inline is set

2022-12-19 14:52:58 +01:00
parent 52f6b7c971
commit c8983ca863
1 changed files with 5 additions and 0 deletions
--- a/src/pretix/base/middleware.py
+++ b/src/pretix/base/middleware.py
@@ -224,6 +224,11 @@ def _merge_csp(a, b):
        if k not in a:
            a[k] = b[k]

+    for k, v in a.items():
+        if "'unsafe-inline'" in v:
+            # If we need unsafe-inline, drop any hashes or nonce as they will be ignored otherwise
+            a[k] = [i for i in v if not i.startswith("'nonce-") and not i.startswith("'sha-")]
+

 class SecurityMiddleware(MiddlewareMixin):
    CSP_EXEMPT = (