Remove no-js declaration in nonce-enabled inline script

Change-Id: If29e7d48ef9c326533a5e6f9a44176d2da84b78d
diff --git a/Changes b/Changes
index 3c9262c..271cf05 100755
--- a/Changes
+++ b/Changes
@@ -1,4 +1,4 @@
-0.41 2021-01-26
+0.41 2021-01-27
         - Introduce CORS headers to the proxy.
         - Introduce Content Security Policy.
         - Remove default api endpoint from config to
@@ -8,6 +8,7 @@
           Windows Powershell (lerepp).
         - Establish CSP plugin.
         - Added nonce helper to CSP plugin.
+        - Remove no-js class in nonced inline script.
 
 0.40 2020-12-17
         - Modernize ES and fix in-loops.
diff --git a/dev/js/src/init.js b/dev/js/src/init.js
index 6a781b6..91084cf 100644
--- a/dev/js/src/init.js
+++ b/dev/js/src/init.js
@@ -52,9 +52,6 @@
 
   const d = document;
 
-  // Remove the no-js class from the body
-  d.body.classList.remove('no-js');
-
   // Set base URL
   KorAP.URL = d.body.getAttribute('data-korap-url') || "";
 
diff --git a/lib/Kalamar.pm b/lib/Kalamar.pm
index b13de68..4a2ae7c 100644
--- a/lib/Kalamar.pm
+++ b/lib/Kalamar.pm
@@ -147,11 +147,13 @@
   $self->plugin(CSP => {
     'default-src' => 'self',
     'style-src' => ['self','unsafe-inline'],
+    'script-src' => 'self',
     'frame-src' => '*',
     'media-src' => 'none',
     'object-src' => 'self',
     'font-src' => 'self',
-    'img-src' => ['self', 'data:']
+    'img-src' => ['self', 'data:'],
+    -with_nonce => 1
   });
 
   # Localization framework
@@ -178,7 +180,7 @@
   foreach (
     'TagHelpers::MailToChiffre', # Obfuscate email addresses
     'KalamarHelpers',            # Specific Helpers for Kalamar
-    'KalamarPages',             # Page Helpers for Kalamar
+    'KalamarPages',              # Page Helpers for Kalamar
     'KalamarErrors',             # Specific Errors for Kalamar
     'KalamarUser',               # Specific Helpers for Kalamar Users
     'ClientIP',                  # Get client IP from X-Forwarded-For
@@ -272,6 +274,14 @@
     position => 100
   });
 
+  # Add nonce script
+  $self->content_block(nonce_js => {
+    inline => <<'NONCE_JS'
+      // Remove the no-js class from the body
+      document.body.classList.remove('no-js');
+NONCE_JS
+  });
+
   # Base query route
   $r->get('/')->to('search#query')->name('index');
 
diff --git a/t/page.t b/t/page.t
index 55f6518..4339f4e 100644
--- a/t/page.t
+++ b/t/page.t
@@ -23,10 +23,14 @@
   ->attr_is('meta[property="og:url"]', 'content', '//korap2.ids-mannheim.de/')
   ;
 
+# Test csp
 $t->get_ok('/')
   ->header_like('Content-Security-Policy', qr!default-src 'self';!)
   ->header_like('Content-Security-Policy', qr!media-src 'none';!)
   ->header_like('Content-Security-Policy', qr!object-src 'self';!)
+  ->header_like('Content-Security-Policy', qr!nonce-!)
+  ->content_like(qr/<script nonce/)
+  ->content_like(qr/document\.body\.classList\.remove\(\'no-js\'\);/)
   ;
 
 # Test additions
diff --git a/templates/layouts/main.html.ep b/templates/layouts/main.html.ep
index f5610c2..2fa2563 100644
--- a/templates/layouts/main.html.ep
+++ b/templates/layouts/main.html.ep
@@ -60,6 +60,9 @@
         data-korap-url="<%== $api %>"
         itemscope
         itemtype="http://schema.org/<%= stash('schematype') || 'WebApplication' %>">
+    
+    %= csp_nonce_tag
+
     <div id="kalamar-bg"></div>
     
     %= include 'partial/side', embedded => $embedded