fix(csp): remove script nonce if inline scripts are disabled (#700)

Co-authored-by: guym4c <hi@guymac.eu>
Co-authored-by: Jonny Adshead <JAdshead@users.noreply.github.com>

__tests__/server/middleware/csp.spec.js

@@ -127,7 +127,7 @@ describe('csp', () => {
       const headers = res._getHeaders();
       const { scriptNonce } = res;
       expect(headers).toHaveProperty('content-security-policy');
-      expect(headers['content-security-policy'].search(scriptNonce)).not.toEqual(-1);
+      expect(headers['content-security-policy'].includes(scriptNonce)).toBe(true);
     });
 
     it('does not set the script nonce if this has been disabled in development', () => {
@@ -139,11 +139,7 @@ describe('csp', () => {
       const { updateCSP } = requiredCsp;
       updateCSP("default-src 'none'; script-src 'self';");
       cspMiddleware()(req, res, next);
-      // eslint-disable-next-line no-underscore-dangle
-      const headers = res._getHeaders();
-      const { scriptNonce } = res;
-      expect(headers).toHaveProperty('content-security-policy');
-      expect(headers['content-security-policy'].search(scriptNonce)).toEqual(-1);
+      expect(res.scriptNonce).toBeUndefined();
     });
   });
 

src/server/middleware/csp.js

@@ -66,15 +66,15 @@ const csp = () => (req, res, next) => {
     if (process.env.ONE_CSP_ALLOW_INLINE_SCRIPTS === 'true') {
       updatedScriptSrc = insertSource(policy, 'script-src', developmentAdditions);
     } else {
+      res.scriptNonce = scriptNonce;
       updatedScriptSrc = insertSource(policy, 'script-src', `'nonce-${scriptNonce}' ${developmentAdditions}`);
     }
     updatedPolicy = insertSource(updatedScriptSrc, 'connect-src', developmentAdditions);
   } else {
+    res.scriptNonce = scriptNonce;
     updatedPolicy = insertSource(policy, 'script-src', `'nonce-${scriptNonce}'`);
   }
 
-  res.scriptNonce = scriptNonce;
-
   if (process.env.ONE_DANGEROUSLY_DISABLE_CSP !== 'true') {
     res.setHeader('Content-Security-Policy', updatedPolicy);
   }