WEBUI-1282: Allow Content Security Policy without script-src data: pa…

…rt 1
nuxeo · Nov 28, 2024 · a6dbd07 · a6dbd07
1 parent 52ee5e8
commit a6dbd07
Show file tree

Hide file tree

Showing 3 changed files with 18 additions and 5 deletions.
diff --git a/index.html b/index.html
@@ -86,6 +86,10 @@
     <script src="vendor/web-animations/web-animations-next-lite.min.js"></script>
 
     <script nonce="dummy">
+
+      function generateNonce(){
+        return window.crypto.randomUUID().toString('base64')
+      }
       /* eslint-disable no-var, no-unused-vars */
       var Nuxeo = {
         UI: {
@@ -125,6 +129,7 @@
                 hrefBase: 'elements/search/',
               },
             },
+            nonce: generateNonce()
             /* analytics: {
               documentDistribution: {
                 disableThreshold: 100, // uncomment to set the threshold value that disables the distribution analytics

diff --git a/plugin/web-ui/addon/src/main/resources/web/nuxeo.war/ui/config.jsp b/plugin/web-ui/addon/src/main/resources/web/nuxeo.war/ui/config.jsp
@@ -29,6 +29,7 @@
 var Nuxeo = Nuxeo || {};
 Nuxeo.UI = Nuxeo.UI || {};
 Nuxeo.UI.config = <%= cs.getPropertiesAsJson("org.nuxeo.web.ui") %>;
+Nuxeo.UI.config.nonce = NuxeoNonce;
 Nuxeo.UI.bundles = [
   <% for (Resource resource : wrm.getResources(new ResourceContextImpl(), "web-ui", "import")) { %>
   '<%= context %><%= resource.getURI() %>',

diff --git a/plugin/web-ui/addon/src/main/resources/web/nuxeo.war/ui/index.jsp b/plugin/web-ui/addon/src/main/resources/web/nuxeo.war/ui/index.jsp
@@ -17,6 +17,7 @@ limitations under the License.
 -->
 <%@ page trimDirectiveWhitespaces="true" %>
 <%@ page contentType="text/html; charset=UTF-8" %>
+<%@ page import="java.util.UUID"%>
 <%@ page import="org.nuxeo.common.Environment"%>
 <%@ page import="org.nuxeo.runtime.api.Framework"%>
 <%@ page import="org.nuxeo.ecm.core.api.repository.RepositoryManager"%>
@@ -35,6 +36,7 @@ limitations under the License.
   } else {
     baseUrl = context + "/repo/" + repository + "/ui/";
   }
+  String NX_NONCE_VALUE = UUID.randomUUID().toString();
 %>
 
 <!DOCTYPE html>
@@ -44,6 +46,7 @@ limitations under the License.
   <meta charset="UTF-8">
   <meta name="description" content="">
   <meta name="viewport" content="width=device-width, initial-scale=1">
+  <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'nonce-<%= NX_NONCE_VALUE %>' 'strict-dynamic'">
 
   <title><%= Framework.getProperty(Environment.PRODUCT_NAME) %></title>
 
@@ -84,6 +87,10 @@ limitations under the License.
   </style>
 </head>
 
+<script nonce="<%= NX_NONCE_VALUE %>">
+  const NuxeoNonce = "<%= NX_NONCE_VALUE %>";
+</script>
+
 <body>
   <nuxeo-connection url="<%= context %>" repository-name="<%= repository %>"></nuxeo-connection>
   <nuxeo-app base-url="<%= baseUrl %>"
@@ -98,15 +105,15 @@ limitations under the License.
     </div>
   </nuxeo-app>
 
-  <script src="vendor/webcomponentsjs/webcomponents-loader.js"></script>
+  <script src="vendor/webcomponentsjs/webcomponents-loader.js"  nonce="<%= NX_NONCE_VALUE %>"></script>
 
-  <script src="vendor/html-imports/html-imports.min.js"></script>
+  <script src="vendor/html-imports/html-imports.min.js" nonce="<%= NX_NONCE_VALUE %>"></script>
 
-  <script src="vendor/web-animations/web-animations-next-lite.min.js"></script>
+  <script src="vendor/web-animations/web-animations-next-lite.min.js"  nonce="<%= NX_NONCE_VALUE %>"></script>
 
-  <script src="config.jsp"></script>
+  <script src="config.jsp"  nonce="<%= NX_NONCE_VALUE %>"></script>
 
-  <script src="main.bundle.js"></script>
+  <script src="main.bundle.js"  nonce="<%= NX_NONCE_VALUE %>"></script>
 
 </body>