Ban inline scripts in CSP

assets/javascripts/views/pages/jquery.coffee

@@ -45,7 +45,7 @@ class app.views.JqueryPage extends app.views.BasePage
 
   fixIframeSource: (source) ->
     source = source.replace '"/resources/', '"https://api.jquery.com/resources/' # attr(), keydown()
-    source.replace '</head>', """
+    source = source.replace '</head>', """
       <style>
         html, body { border: 0; margin: 0; padding: 0; }
         body { font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; }
@@ -60,3 +60,4 @@ class app.views.JqueryPage extends app.views.BasePage
       </script>
       </head>
     """
+    source.replace /<script>/gi, '<script nonce="devdocs">'

lib/app.rb

@@ -67,13 +67,13 @@ class App < Sinatra::Application
     BetterErrors.application_root = File.expand_path('..', __FILE__)
     BetterErrors.editor = :sublime
 
-    set :csp, "default-src 'self' *; script-src 'self' 'unsafe-inline' *; font-src data:; style-src 'self' 'unsafe-inline' *; img-src 'self' * data:;"
+    set :csp, "default-src 'self' *; script-src 'self' 'nonce-devdocs' *; font-src data:; style-src 'self' 'unsafe-inline' *; img-src 'self' * data:;"
   end
 
   configure :production do
     set :static, false
     set :docs_host, '//docs.devdocs.io'
-    set :csp, "default-src 'self' *; script-src 'self' 'unsafe-inline' http://cdn.devdocs.io https://cdn.devdocs.io https://www.google-analytics.com https://secure.gaug.es http://*.jquery.com https://*.jquery.com; font-src data:; style-src 'self' 'unsafe-inline' *; img-src 'self' * data:;"
+    set :csp, "default-src 'self' *; script-src 'self' http://cdn.devdocs.io https://cdn.devdocs.io https://www.google-analytics.com https://secure.gaug.es http://*.jquery.com https://*.jquery.com; font-src data:; style-src 'self' 'unsafe-inline' *; img-src 'self' * data:;"
 
     use Rack::ConditionalGet
     use Rack::ETag