Merge pull request #1259 from twm/style-nonce

Fix missing <style nonce> attrs
twm · Jan 7, 2025 · 9888d0b · 9888d0b
2 parents 59fceef + e4abe88
commit 9888d0b
Show file tree

Hide file tree

Showing 10 changed files with 16 additions and 28 deletions.
diff --git a/yarrharr/application.py b/yarrharr/application.py
@@ -1,4 +1,4 @@
-# Copyright © 2013, 2015, 2016, 2017, 2018, 2020, 2022, 2023 Tom Most <[email protected]>
+# Copyright © 2013, 2015, 2016, 2017, 2018, 2020, 2022, 2023, 2025 Tom Most <[email protected]>
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -303,20 +303,20 @@ def getChildWithDefault(self, name, request):
         request.setHeader(b"X-Content-Type-Options", b"nosniff")
         request.setHeader(b"Cross-Origin-Opener-Policy", b"same-origin")
 
-        script_nonce = b64encode(os.urandom(32))
-        request.requestHeaders.setRawHeaders(b"Yarrharr-Script-Nonce", [script_nonce])
+        csp_nonce = b64encode(os.urandom(32))
+        request.requestHeaders.setRawHeaders(b"Yarrharr-Csp-Nonce", [csp_nonce])
         request.setHeader(
             b"Content-Security-Policy",
             (
                 # b"default-src 'none'; "
                 b"img-src *; "
                 b"script-src 'self' 'nonce-%s'; "
-                b"style-src 'self'; "
+                b"style-src 'self' 'nonce-%s'; "
                 b"frame-ancestors 'none'; "
                 b"form-action 'self'; "
                 b"report-uri /csp-report"
             )
-            % (script_nonce,),
+            % (csp_nonce, csp_nonce),
         )
 
         return super().getChildWithDefault(name, request)

diff --git a/yarrharr/context_processors.py b/yarrharr/context_processors.py
@@ -1,4 +1,4 @@
-# Copyright © 2022 Tom Most <[email protected]>
+# Copyright © 2022, 2025 Tom Most <[email protected]>
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -29,13 +29,13 @@ def csp(request):
     """
     if settings.YARRHARR_SCRIPT_NONCE:
         try:
-            nonce = request.headers["Yarrharr-Script-Nonce"]
+            csp_nonce = request.headers["Yarrharr-Csp-Nonce"]
         except KeyError:
             if os.environ.get("YARRHARR_TESTING") == "yes":
                 # Only ignore this in unit tests so we fail safe in production.
-                nonce = None
+                csp_nonce = None
             else:
                 raise
     else:
-        nonce = None
-    return {"script_nonce": nonce}
+        csp_nonce = None
+    return {"csp_nonce": csp_nonce}
diff --git a/yarrharr/templates/components.html b/yarrharr/templates/components.html
@@ -38,7 +38,7 @@
 </template>
 
 
-<script type="module" nonce="{{ script_nonce }}">
+<script type="module" nonce="{{ csp_nonce }}">
 {% url 'api-flags' as flag_api_url %}
 const flagsApi = "{{ flag_api_url|escapejs }}";
 

diff --git a/yarrharr/templates/feed_add.html b/yarrharr/templates/feed_add.html
@@ -4,7 +4,7 @@
 
 {% block content %}
 
-<style>
+<style nonce="{{ csp_nonce }}">
 .feed-add {
   margin: 2rem auto;
   padding: 1.5rem 2rem 2rem 2rem;

diff --git a/yarrharr/templates/feed_edit.html b/yarrharr/templates/feed_edit.html
@@ -3,10 +3,6 @@
 {% block title %}{{ feed.title }} - Edit{% endblock %}
 
 {% block content %}
-<style>
-/* TODO */
-</style>
-
 <div id="yarrharr" class="layout-narrow">
 
   {% include "header.html" %}

diff --git a/yarrharr/templates/feed_list.html b/yarrharr/templates/feed_list.html
@@ -3,10 +3,6 @@
 {% block title %}Feeds{% endblock %}
 
 {% block content %}
-<style>
-/* TODO */
-</style>
-
 <div id="yarrharr" class="layout-narrow">
 
   {% include "header.html" %}

diff --git a/yarrharr/templates/header.html b/yarrharr/templates/header.html
@@ -48,7 +48,7 @@
 
 </div>
 
-<script type="module" nonce="{{ script_nonce }}">
+<script type="module" nonce="{{ csp_nonce }}">
   const b = document.getElementById("layout-button");
   const y = document.getElementById("yarrharr");
 
@@ -79,7 +79,7 @@
   readFromStorage();
 </script>
 
-<script type="module" nonce="{{ script_nonce }}">
+<script type="module" nonce="{{ csp_nonce }}">
   const b = document.getElementById("fullscreen-button");
   b.onclick = e =>  {
     if (document.fullscreenElement) {

diff --git a/yarrharr/templates/home.html b/yarrharr/templates/home.html
@@ -6,7 +6,7 @@
 {% block title %}Home{% endblock %}
 
 {% block content %}
-<style>
+<style nonce="{{ csp_nonce }}">
 .home-view {
     margin: 0 auto;
     max-width: var(--layout-max-width);

diff --git a/yarrharr/templates/label_edit.html b/yarrharr/templates/label_edit.html
@@ -4,10 +4,6 @@
 {% block title %}{{ label.text }} - Edit{% endblock %}
 
 {% block content %}
-<style>
-/* TODO */
-</style>
-
 <div id="yarrharr" class="layout-narrow">
 
   {% include "header.html" %}

diff --git a/yarrharr/templates/login.html b/yarrharr/templates/login.html
@@ -7,7 +7,7 @@
 
 {% block content %}
 
-<style>
+<style nonce="{{ csp_nonce }}">
 .login-page {
     display: flex;
     flex-flow: column nowrap;