From f29e519c59b8f069a3f8aff0597354440aab2c9b Mon Sep 17 00:00:00 2001
From: Andrew Hosgood <andrew.hosgood@nationalarchives.gov.uk>
Date: Wed, 12 Jun 2024 15:15:14 +0100
Subject: [PATCH] Add nonces back in for scripts and styles

---
 app/__init__.py                                             | 1 +
 app/templates/base.html                                     | 4 ++--
 app/templates/catalogue/archive.html                        | 2 +-
 app/templates/catalogue/creator.html                        | 2 +-
 app/templates/catalogue/person.html                         | 2 +-
 app/templates/catalogue/record.html                         | 2 +-
 app/templates/explore-the-collection/article-focused.html   | 2 +-
 app/templates/explore-the-collection/article.html           | 4 ++--
 app/templates/explore-the-collection/highlight-gallery.html | 2 +-
 app/templates/explore-the-collection/record-article.html    | 2 +-
 app/templates/main/new_home.html                            | 2 +-
 11 files changed, 13 insertions(+), 12 deletions(-)

diff --git a/app/__init__.py b/app/__init__.py
index 259b3bd8..b0f05f65 100644
--- a/app/__init__.py
+++ b/app/__init__.py
@@ -56,6 +56,7 @@ def create_app(config_class):
             "connect-src": app.config["CSP_CONNECT_SRC"],
             "media-src": app.config["CSP_MEDIA_SRC"],
         },
+        content_security_policy_nonce_in=["script-src", "style-src"],
         feature_policy={
             "camera": "'none'",
             "fullscreen": "'self'",
diff --git a/app/templates/base.html b/app/templates/base.html
index 4a0429c4..be2cf7da 100644
--- a/app/templates/base.html
+++ b/app/templates/base.html
@@ -262,6 +262,6 @@
 {% endblock %}
 
 {% block bodyEnd %}
-<script src="{{ url_for('static', filename='main.min.js') }}" defer></script>
-<script src="{{ url_for('static', filename='analytics.min.js') }}" defer></script>
+<script src="{{ url_for('static', filename='main.min.js') }}" nonce="{{ csp_nonce() }}" defer></script>
+<script src="{{ url_for('static', filename='analytics.min.js') }}" nonce="{{ csp_nonce() }}" defer></script>
 {% endblock %}
diff --git a/app/templates/catalogue/archive.html b/app/templates/catalogue/archive.html
index c186dd3c..c14ceb67 100644
--- a/app/templates/catalogue/archive.html
+++ b/app/templates/catalogue/archive.html
@@ -27,7 +27,7 @@
 
 {% block stylesheets %}
 {{ super() }}
-    <link rel="stylesheet" href="{{ url_for('static', filename='catalogue.css') }}">
+    <link rel="stylesheet" href="{{ url_for('static', filename='catalogue.css') }}" nonce="{{ csp_nonce() }}">
 {% endblock %}
 
 {% block beforeContent %}
diff --git a/app/templates/catalogue/creator.html b/app/templates/catalogue/creator.html
index 0a3b0e77..75dd4500 100644
--- a/app/templates/catalogue/creator.html
+++ b/app/templates/catalogue/creator.html
@@ -27,7 +27,7 @@
 
 {% block stylesheets %}
 {{ super() }}
-    <link rel="stylesheet" href="{{ url_for('static', filename='catalogue.css') }}">
+    <link rel="stylesheet" href="{{ url_for('static', filename='catalogue.css') }}" nonce="{{ csp_nonce() }}">
 {% endblock %}
 
 {% block beforeContent %}
diff --git a/app/templates/catalogue/person.html b/app/templates/catalogue/person.html
index 2d984981..25c2a60d 100644
--- a/app/templates/catalogue/person.html
+++ b/app/templates/catalogue/person.html
@@ -27,7 +27,7 @@
 
 {% block stylesheets %}
 {{ super() }}
-    <link rel="stylesheet" href="{{ url_for('static', filename='catalogue.css') }}">
+    <link rel="stylesheet" href="{{ url_for('static', filename='catalogue.css') }}" nonce="{{ csp_nonce() }}">
 {% endblock %}
 
 {% block beforeContent %}
diff --git a/app/templates/catalogue/record.html b/app/templates/catalogue/record.html
index b36ce8b3..3e9af8d4 100644
--- a/app/templates/catalogue/record.html
+++ b/app/templates/catalogue/record.html
@@ -30,7 +30,7 @@
 
 {% block stylesheets %}
 {{ super() }}
-    <link rel="stylesheet" href="{{ url_for('static', filename='catalogue.css') }}">
+    <link rel="stylesheet" href="{{ url_for('static', filename='catalogue.css') }}" nonce="{{ csp_nonce() }}">
 {% endblock %}
 
 {% block beforeContent %}
diff --git a/app/templates/explore-the-collection/article-focused.html b/app/templates/explore-the-collection/article-focused.html
index 8e48f82a..40f36c00 100644
--- a/app/templates/explore-the-collection/article-focused.html
+++ b/app/templates/explore-the-collection/article-focused.html
@@ -147,6 +147,6 @@ <h2 class="etna-author-list__heading tna-heading-s">Author{{ 's' if page_data.au
 {% endblock %}
 
 {% block bodyEnd %}
-<script src="{{ url_for('static', filename='article.min.js') }}" defer></script>
+<script src="{{ url_for('static', filename='article.min.js') }}" nonce="{{ csp_nonce() }}" defer></script>
 {{ super() }}
 {% endblock %}
diff --git a/app/templates/explore-the-collection/article.html b/app/templates/explore-the-collection/article.html
index 237de54f..326e1504 100644
--- a/app/templates/explore-the-collection/article.html
+++ b/app/templates/explore-the-collection/article.html
@@ -12,7 +12,7 @@
 
 {% block stylesheets %}
 {{ super() }}
-    <link rel="stylesheet" href="{{ url_for('static', filename='article.css') }}">
+    <link rel="stylesheet" href="{{ url_for('static', filename='article.css') }}" nonce="{{ csp_nonce() }}">
 {% endblock %}
 
 {% block content %}
@@ -88,6 +88,6 @@ <h1 class="tna-hgroup__title" itemprop="name">{{ page_data.title }}</h1>
 {% endblock %}
 
 {% block bodyEnd %}
-<script src="{{ url_for('static', filename='article.min.js') }}" defer></script>
+<script src="{{ url_for('static', filename='article.min.js') }}" nonce="{{ csp_nonce() }}" defer></script>
 {{ super() }}
 {% endblock %}
diff --git a/app/templates/explore-the-collection/highlight-gallery.html b/app/templates/explore-the-collection/highlight-gallery.html
index 948c98bc..3ff47e0f 100644
--- a/app/templates/explore-the-collection/highlight-gallery.html
+++ b/app/templates/explore-the-collection/highlight-gallery.html
@@ -9,7 +9,7 @@
 
 {% block stylesheets %}
 {{ super() }}
-    <link rel="stylesheet" href="{{ url_for('static', filename='highlight-gallery.css') }}">
+    <link rel="stylesheet" href="{{ url_for('static', filename='highlight-gallery.css') }}" nonce="{{ csp_nonce() }}">
 {% endblock %}
 
 {% block content %}
diff --git a/app/templates/explore-the-collection/record-article.html b/app/templates/explore-the-collection/record-article.html
index 30d6285b..fb3701ec 100644
--- a/app/templates/explore-the-collection/record-article.html
+++ b/app/templates/explore-the-collection/record-article.html
@@ -12,7 +12,7 @@
 
 {% block stylesheets %}
 {{ super() }}
-    <link rel="stylesheet" href="{{ url_for('static', filename='article.css') }}">
+    <link rel="stylesheet" href="{{ url_for('static', filename='article.css') }}" nonce="{{ csp_nonce() }}">
 {% endblock %}
 
 {% block content %}
diff --git a/app/templates/main/new_home.html b/app/templates/main/new_home.html
index 0d5fede1..842b2925 100644
--- a/app/templates/main/new_home.html
+++ b/app/templates/main/new_home.html
@@ -9,7 +9,7 @@
 
 {% block stylesheets %}
 {{ super() }}
-    <link rel="stylesheet" href="{{ url_for('static', filename='homepage.css') }}">
+    <link rel="stylesheet" href="{{ url_for('static', filename='homepage.css') }}" nonce="{{ csp_nonce() }}">
 {% endblock %}
 
 {% block content %}