From e5d413b07e3797d0f7a9df3342f08a2e51ec9fc0 Mon Sep 17 00:00:00 2001
From: Andreas Gohr <andi@splitbrain.org>
Date: Wed, 21 Feb 2024 15:25:59 +0100
Subject: [PATCH] Use environment provided NONCE for inline scripts. #3788

When an outside source wants to set a restrictive CSP, it can use a
nonce to allow inline scripts instead of using 'unsafe-inline'. This
nonce can be passed on via the environment variable NONCE and will be
used in tpl_metaheaders to tag our inline JS initializations.

An update to the cspheaders plugin should be made to provide a nonce as
well.
---
 inc/template.php | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/inc/template.php b/inc/template.php
index 9eed801f8..dd2a9678a 100644
--- a/inc/template.php
+++ b/inc/template.php
@@ -411,17 +411,23 @@ function tpl_metaheaders($alt = true)
  * For tags having a body attribute specify the body data in the special
  * attribute '_data'. This field will NOT BE ESCAPED automatically.
  *
+ * Inline scripts will use any nonce provided in the environment variable 'NONCE'.
+ *
  * @param array $data
  *
  * @author Andreas Gohr <andi@splitbrain.org>
  */
 function _tpl_metaheaders_action($data)
 {
+    $nonce = getenv('NONCE');
     foreach ($data as $tag => $inst) {
         foreach ($inst as $attr) {
             if (empty($attr)) {
                 continue;
             }
+            if ($nonce && $tag == 'script' && !empty($attr['_data'])) {
+                $attr['nonce'] = $nonce; // add nonce to inline script tags
+            }
             echo '<', $tag, ' ', buildAttributes($attr);
             if (isset($attr['_data']) || $tag == 'script') {
                 echo '>', $attr['_data'] ?? '', '</', $tag, '>';
-- 
2.11.4.GIT