fine tune

Author: wxiaoguang

services/context/context_template.go

@@ -129,8 +129,15 @@ func (c TemplateContext) CspScriptNonce() (ret string) {
 
 func (c TemplateContext) HeadMetaContentSecurityPolicy() template.HTML {
 	return template.HTML(`<meta http-equiv="Content-Security-Policy" content="` +
-		`default-src *` + // allow all by default (the same as old releases with no CSP)
+		// allow all by default (the same as old releases with no CSP)
+		// "data:" is used to load the manifest in head (maybe also need to be refactored in the future)
+		// maybe some images are also loaded by "data:", need to investigate
+		`default-src * data:;` +
+
+		// enforce nonce for all scripts, disallow inline scripts
 		`script-src * 'nonce-` + c.CspScriptNonce() + `';` +
-		`style-src * 'unsafe-inline';` + // it seems that Vue needs it, need to investigate
+
+		// it seems that Vue needs the unsafe-inline, need to investigate
+		`style-src * 'unsafe-inline';` +
 		`">`)
 }

web_src/js/features/repo-issue-pull.ts

@@ -69,7 +69,8 @@ async function initRepoPullRequestMergeForm(box: HTMLElement) {
 }
 
 function executeScripts(elem: HTMLElement) {
-  const scriptNonce = document.querySelector('head script[nonce]')!.getAttribute('nonce')!;
+  // find any existing nonce value from the current page and apply it to the new script
+  const scriptNonce = document.querySelector('script[nonce]')!.getAttribute('nonce')!;
   for (const oldScript of elem.querySelectorAll('script')) {
     // TODO: that's the only way to load the data for the merge form. In the future
     //  we need to completely decouple the page data and embedded script