Nonce based CSP not supported in Safari yet

bbqchickenrobot · Feb 16, 2019 · 511a5c0 · 511a5c0
1 parent c92c840
commit 511a5c0
Showing 1 changed file with 11 additions and 1 deletion.
diff --git a/src/Ui/UiRequest.py b/src/Ui/UiRequest.py
@@ -229,6 +229,16 @@ def getReferer(self):
         else:
             return referer
 
+    def isScriptNonceSupported(self):
+        user_agent = self.env.get("HTTP_USER_AGENT")
+        if "Edge/" in user_agent:
+            is_script_nonce_supported = False
+        elif "Safari/" in user_agent and "Chrome/" not in user_agent:
+            is_script_nonce_supported = False
+        else:
+            is_script_nonce_supported = True
+        return is_script_nonce_supported
+
     # Send response headers
     def sendHeader(self, status=200, content_type="text/html", noscript=False, allow_ajax=False, script_nonce=None, extra_headers=[]):
         headers = {}
@@ -241,7 +251,7 @@ def sendHeader(self, status=200, content_type="text/html", noscript=False, allow
 
         if noscript:
             headers["Content-Security-Policy"] = "default-src 'none'; sandbox allow-top-navigation allow-forms; img-src 'self'; font-src 'self'; media-src 'self'; style-src 'self' 'unsafe-inline';"
-        elif script_nonce and "Edge/" not in self.env.get("HTTP_USER_AGENT"):
+        elif script_nonce and self.isScriptNonceSupported():
             headers["Content-Security-Policy"] = "default-src 'none'; script-src 'nonce-{0}'; img-src 'self'; style-src 'self' 'unsafe-inline'; connect-src *; frame-src 'self'".format(script_nonce)
 
         if allow_ajax: