public/gitea
1
0
Fork 0
mirror of https://github.com/go-gitea/gitea.git synced 2026-05-08 14:34:49 +09:00
Code Issues Packages Projects Releases Wiki Activity

Use Content-Security-Policy: script nonce (#37232)

Browse Source 
Fix #305
This commit is contained in:
wxiaoguang
2026-04-16 04:07:57 +08:00
committed by GitHub
parent 2644bb8490
commit 82bfde2a37
18 changed files with 134 additions and 52 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
web_src/js/features/repo-issue-pull.ts
View File

@@ -69,6 +69,8 @@ async function initRepoPullRequestMergeForm(box: HTMLElement) {
}
function executeScripts(elem: HTMLElement) {
// find any existing nonce value from the current page and apply it to the new script
const scriptNonce = document.querySelector('script[nonce]')!.getAttribute('nonce')!;
for (const oldScript of elem.querySelectorAll('script')) {
// TODO: that's the only way to load the data for the merge form. In the future
// we need to completely decouple the page data and embedded script
@@ -78,6 +80,7 @@ function executeScripts(elem: HTMLElement) {
if (attr.name === 'type' && attr.value === 'module') continue;
newScript.setAttribute(attr.name, attr.value);
}
newScript.setAttribute('nonce', scriptNonce);
newScript.text = oldScript.text;
document.body.append(newScript);
}