Add support for using a nonce with the Content-Security-Policy header

nitter.example.conf

@@ -21,6 +21,7 @@ redisMaxConnections = 30
 
 [Config]
 hmacKey = "secretkey"  # random key for cryptographic signing of video urls
+nonceString = "secretstring" # random string for the Content-Security-Policy header with script-src
 base64Media = false  # use base64 encoding for proxied media urls
 enableRSS = true  # set this to false to disable RSS feeds
 enableDebug = false  # enable request logs and debug endpoints (/.accounts)

src/config.nim

@@ -35,6 +35,7 @@ proc getConfig*(path: string): (Config, parseCfg.Config) =
 
     # Config
     hmacKey: cfg.get("Config", "hmacKey", "secretkey"),
+    nonceString: cfg.get("Config", "nonceString", "secretstring"),
     base64Media: cfg.get("Config", "base64Media", false),
     minTokens: cfg.get("Config", "tokenCount", 10),
     enableRss: cfg.get("Config", "enableRSS", true),

src/types.nim

@@ -256,6 +256,7 @@ type
     staticDir*: string
 
     hmacKey*: string
+    nonceString*: string
     base64Media*: bool
     minTokens*: int
     enableRss*: bool

src/views/general.nim

@@ -73,11 +73,11 @@ proc renderHead*(prefs: Prefs; cfg: Config; req: Request; titleText=""; desc="";
       link(rel="alternate", type="application/rss+xml", href=rss, title="RSS feed")
 
     if prefs.hlsPlayback:
-      script(src="/js/hls.light.min.js", `defer`="")
-      script(src="/js/hlsPlayback.js", `defer`="")
+      script(nonce=cfg.nonceString, src="/js/hls.light.min.js", `defer`="")
+      script(nonce=cfg.nonceString, src="/js/hlsPlayback.js", `defer`="")
 
     if prefs.infiniteScroll:
-      script(src="/js/infiniteScroll.js", `defer`="")
+      script(nonce=cfg.nonceString, src="/js/infiniteScroll.js", `defer`="")
 
     title:
       if titleText.len > 0: