Use a nonce for languageCode script

thibaudcolas · thibaudcolas · commit e33e544cf252 · 2025-02-27T11:30:17.000Z
diff --git a/apps/core/templates/base.html b/apps/core/templates/base.html
@@ -95,7 +95,7 @@
         {% include "components/search_modal.html" %}
 
         {# Global javascript #}
-        <script>var languageCode = '{{ self.locale.language_code }}';</script>
+        <script nonce="{{ request.csp_nonce }}">var languageCode = '{{ self.locale.language_code }}';</script>
         <script src="{% url 'javascript-catalog' %}"></script>
         <script src="{% manifest 'main.js' %}"></script>
 
diff --git a/apps/guide/settings/base.py b/apps/guide/settings/base.py
@@ -214,6 +214,8 @@
 
     CSP_REPORT_ONLY = env.get("CSP_REPORT_ONLY", "false").lower() == "true"
 
+    CSP_INCLUDE_NONCE_IN = ["script-src", "style-src"]
+
     # The “special” source values of
     # 'self', 'unsafe-inline', 'unsafe-eval', and 'none' must be quoted!
     # e.g.: CSP_DEFAULT_SRC = "'self'" Without quotes they will not work as intended.
