commit b7b91c55a08d18bb0cd908ceb553ec64b63b8786
author Akron <nils@diewald-online.de> Wed Jan 27 17:46:52 2021 +0100
committer Akron <nils@diewald-online.de> Thu Jan 28 12:04:04 2021 +0100
tree da3a0818f49500b1d72889e05d188f36f2e5511a
parent a24af0a379d10175604fbce71a6b99dddb8c2393

Remove no-js declaration in nonce-enabled inline script

Change-Id: If29e7d48ef9c326533a5e6f9a44176d2da84b78d

lib/Kalamar.pm

diff --git a/lib/Kalamar.pm b/lib/Kalamar.pm
index b13de68..4a2ae7c 100644
--- a/lib/Kalamar.pm
+++ b/lib/Kalamar.pm
@@ -147,11 +147,13 @@
   $self->plugin(CSP => {
     'default-src' => 'self',
     'style-src' => ['self','unsafe-inline'],
+    'script-src' => 'self',
     'frame-src' => '*',
     'media-src' => 'none',
     'object-src' => 'self',
     'font-src' => 'self',
-    'img-src' => ['self', 'data:']
+    'img-src' => ['self', 'data:'],
+    -with_nonce => 1
   });
 
   # Localization framework
@@ -178,7 +180,7 @@
   foreach (
     'TagHelpers::MailToChiffre', # Obfuscate email addresses
     'KalamarHelpers',            # Specific Helpers for Kalamar
-    'KalamarPages',             # Page Helpers for Kalamar
+    'KalamarPages',              # Page Helpers for Kalamar
     'KalamarErrors',             # Specific Errors for Kalamar
     'KalamarUser',               # Specific Helpers for Kalamar Users
     'ClientIP',                  # Get client IP from X-Forwarded-For
@@ -272,6 +274,14 @@
     position => 100
   });
 
+  # Add nonce script
+  $self->content_block(nonce_js => {
+    inline => <<'NONCE_JS'
+      // Remove the no-js class from the body
+      document.body.classList.remove('no-js');
+NONCE_JS
+  });
+
   # Base query route
   $r->get('/')->to('search#query')->name('index');