Revert "FIX: Omit CSP nonce and hash values when unsafe-inline enabled (#25590)" (#25609)

This reverts commit 767b49232e. If anything else (e.g. GTM integration) introduces a nonce/hash, then this change stops the splash screen JS to fail and makes sites unusable.
2024-02-08 11:44:09 +00:00 · 2024-02-08 11:44:09 +00:00 · ee08a8c52b
parent fb0e656cb7
commit ee08a8c52b
2 changed files with 0 additions and 23 deletions
--- a/lib/content_security_policy/builder.rb
+++ b/lib/content_security_policy/builder.rb
@ -43,10 +43,6 @@ class ContentSecurityPolicy

      @directives.each do |directive, sources|
        if sources.is_a?(Array)
-          if sources.include?("'unsafe-inline'")
-            # Sending nonce- or sha###- values will disable unsafe-inline, so skip them
-            sources = sources.reject { |s| s.start_with?("'nonce-", "'sha") }
-          end
          policy.public_send(directive, *sources)
        else
          policy.public_send(directive, sources)
--- a/spec/lib/content_security_policy/builder_spec.rb
+++ b/spec/lib/content_security_policy/builder_spec.rb
@ -35,25 +35,6 @@ RSpec.describe ContentSecurityPolicy::Builder do

      expect(builder.build).to eq(previous)
    end
-
-    it "omits nonce when unsafe-inline enabled" do
-      builder << { script_src: %w['unsafe-inline' 'nonce-abcde'] }
-
-      expect(builder.build).not_to include("nonce-abcde")
-    end
-
-    it "omits sha when unsafe-inline enabled" do
-      builder << { script_src: %w['unsafe-inline' 'sha256-abcde'] }
-
-      expect(builder.build).not_to include("sha256-abcde")
-    end
-
-    it "keeps sha and nonce when unsafe-inline is not specified" do
-      builder << { script_src: %w['nonce-abcde' 'sha256-abcde'] }
-
-      expect(builder.build).to include("nonce-abcde")
-      expect(builder.build).to include("sha256-abcde")
-    end
  end

  def parse(csp_string)