From c8983ca863e21ee47b80af1e8bfe25c19b87b93a Mon Sep 17 00:00:00 2001
From: Raphael Michel <michel@rami.io>
Date: Mon, 19 Dec 2022 14:52:58 +0100
Subject: [PATCH] CSP: Do not set nonce if unsafe-inline is set

---
 src/pretix/base/middleware.py | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/src/pretix/base/middleware.py b/src/pretix/base/middleware.py
index 924f62982..407f67e17 100644
--- a/src/pretix/base/middleware.py
+++ b/src/pretix/base/middleware.py
@@ -224,6 +224,11 @@ def _merge_csp(a, b):
         if k not in a:
             a[k] = b[k]
 
+    for k, v in a.items():
+        if "'unsafe-inline'" in v:
+            # If we need unsafe-inline, drop any hashes or nonce as they will be ignored otherwise
+            a[k] = [i for i in v if not i.startswith("'nonce-") and not i.startswith("'sha-")]
+
 
 class SecurityMiddleware(MiddlewareMixin):
     CSP_EXEMPT = (