Skip to content

Commit 7f13f5b

Browse files
committed
fix: Ensure script_nonce is available for security headers to prevent XSS attacks
1 parent e1390c4 commit 7f13f5b

3 files changed

Lines changed: 14 additions & 4 deletions

File tree

CHANGELOG.md

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,10 @@
11
# Changelog
22

3-
## v1.6.9~rc3 - 2026/03/??
3+
## v1.6.9 - 2026/03/??
4+
5+
- [BUGFIX] Ensure script_nonce is available for security headers to prevent XSS attacks
6+
7+
## v1.6.9~rc3 - 2026/03/06
48

59
- [BUGFIX] Fix issues with the new `multiselect` logic where a custom separator can be used, but the default one (space) was still used if the separator was empty, which caused issues with settings that had an empty string as a value.
610
- [BUGFIX] Fix issue with the failover not sending the failover configuration if the reload failed, which caused the failover configuration to not be applied until the next successful reload.

src/ui/main.py

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1161,12 +1161,16 @@ def mark_user_access(user, session_id):
11611161
@app.after_request
11621162
def set_security_headers(response):
11631163
"""Set the security headers."""
1164+
# Ensure script_nonce is available even if before_request didn't complete
1165+
# (e.g., when CSRF validation fails before our before_request runs)
1166+
script_nonce = getattr(g, "script_nonce", None) or token_urlsafe(32)
1167+
11641168
# * Content-Security-Policy header to prevent XSS attacks
11651169
response.headers["Content-Security-Policy"] = (
11661170
"object-src 'none';"
11671171
+ " frame-ancestors 'self';"
11681172
+ " default-src https: http: 'self' https://www.bunkerweb.io https://assets.bunkerity.com https://bunkerity.us1.list-manage.com https://api.github.com;"
1169-
+ f" script-src https: http: 'self' 'nonce-{g.script_nonce}' 'strict-dynamic' 'unsafe-inline';"
1173+
+ f" script-src https: http: 'self' 'nonce-{script_nonce}' 'strict-dynamic' 'unsafe-inline';"
11701174
+ " style-src 'self' 'unsafe-inline';"
11711175
+ " img-src 'self' data: blob: https://www.bunkerweb.io https://assets.bunkerity.com https://*.tile.openstreetmap.org;"
11721176
+ " font-src 'self' data:;"

src/ui/temp.py

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -60,19 +60,21 @@ def before_request():
6060
def inject_variables():
6161
return dict(
6262
current_endpoint=request.path.split("/")[-1],
63-
script_nonce=g.script_nonce,
63+
script_nonce=getattr(g, "script_nonce", None) or token_urlsafe(32),
6464
)
6565

6666

6767
@app.after_request
6868
def set_security_headers(response):
6969
"""Set the security headers."""
70+
script_nonce = getattr(g, "script_nonce", None) or token_urlsafe(32)
71+
7072
# * Content-Security-Policy header to prevent XSS attacks
7173
response.headers["Content-Security-Policy"] = (
7274
"object-src 'none';"
7375
+ " frame-ancestors 'self';"
7476
+ " default-src 'self'"
75-
+ f" script-src https: http: 'self' 'nonce-{g.script_nonce}' 'strict-dynamic' 'unsafe-inline';"
77+
+ f" script-src https: http: 'self' 'nonce-{script_nonce}' 'strict-dynamic' 'unsafe-inline';"
7678
+ " style-src 'self' 'unsafe-inline';"
7779
+ " img-src 'self' data: blob: https://assets.bunkerity.com;"
7880
+ " base-uri 'self';"

0 commit comments

Comments
 (0)