Remove no-js declaration in nonce-enabled inline script
Change-Id: If29e7d48ef9c326533a5e6f9a44176d2da84b78d
diff --git a/Changes b/Changes
index 3c9262c..271cf05 100755
--- a/Changes
+++ b/Changes
@@ -1,4 +1,4 @@
-0.41 2021-01-26
+0.41 2021-01-27
- Introduce CORS headers to the proxy.
- Introduce Content Security Policy.
- Remove default api endpoint from config to
@@ -8,6 +8,7 @@
Windows Powershell (lerepp).
- Establish CSP plugin.
- Added nonce helper to CSP plugin.
+ - Remove no-js class in nonced inline script.
0.40 2020-12-17
- Modernize ES and fix in-loops.
diff --git a/dev/js/src/init.js b/dev/js/src/init.js
index 6a781b6..91084cf 100644
--- a/dev/js/src/init.js
+++ b/dev/js/src/init.js
@@ -52,9 +52,6 @@
const d = document;
- // Remove the no-js class from the body
- d.body.classList.remove('no-js');
-
// Set base URL
KorAP.URL = d.body.getAttribute('data-korap-url') || "";
diff --git a/lib/Kalamar.pm b/lib/Kalamar.pm
index b13de68..4a2ae7c 100644
--- a/lib/Kalamar.pm
+++ b/lib/Kalamar.pm
@@ -147,11 +147,13 @@
$self->plugin(CSP => {
'default-src' => 'self',
'style-src' => ['self','unsafe-inline'],
+ 'script-src' => 'self',
'frame-src' => '*',
'media-src' => 'none',
'object-src' => 'self',
'font-src' => 'self',
- 'img-src' => ['self', 'data:']
+ 'img-src' => ['self', 'data:'],
+ -with_nonce => 1
});
# Localization framework
@@ -178,7 +180,7 @@
foreach (
'TagHelpers::MailToChiffre', # Obfuscate email addresses
'KalamarHelpers', # Specific Helpers for Kalamar
- 'KalamarPages', # Page Helpers for Kalamar
+ 'KalamarPages', # Page Helpers for Kalamar
'KalamarErrors', # Specific Errors for Kalamar
'KalamarUser', # Specific Helpers for Kalamar Users
'ClientIP', # Get client IP from X-Forwarded-For
@@ -272,6 +274,14 @@
position => 100
});
+ # Add nonce script
+ $self->content_block(nonce_js => {
+ inline => <<'NONCE_JS'
+ // Remove the no-js class from the body
+ document.body.classList.remove('no-js');
+NONCE_JS
+ });
+
# Base query route
$r->get('/')->to('search#query')->name('index');
diff --git a/t/page.t b/t/page.t
index 55f6518..4339f4e 100644
--- a/t/page.t
+++ b/t/page.t
@@ -23,10 +23,14 @@
->attr_is('meta[property="og:url"]', 'content', '//korap2.ids-mannheim.de/')
;
+# Test csp
$t->get_ok('/')
->header_like('Content-Security-Policy', qr!default-src 'self';!)
->header_like('Content-Security-Policy', qr!media-src 'none';!)
->header_like('Content-Security-Policy', qr!object-src 'self';!)
+ ->header_like('Content-Security-Policy', qr!nonce-!)
+ ->content_like(qr/<script nonce/)
+ ->content_like(qr/document\.body\.classList\.remove\(\'no-js\'\);/)
;
# Test additions
diff --git a/templates/layouts/main.html.ep b/templates/layouts/main.html.ep
index f5610c2..2fa2563 100644
--- a/templates/layouts/main.html.ep
+++ b/templates/layouts/main.html.ep
@@ -60,6 +60,9 @@
data-korap-url="<%== $api %>"
itemscope
itemtype="http://schema.org/<%= stash('schematype') || 'WebApplication' %>">
+
+ %= csp_nonce_tag
+
<div id="kalamar-bg"></div>
%= include 'partial/side', embedded => $embedded