diff --git a/app/views/layouts/application.html.haml b/app/views/layouts/application.html.haml
index 3b5ab297666056..a836ac406fe0a3 100755
--- a/app/views/layouts/application.html.haml
+++ b/app/views/layouts/application.html.haml
@@ -35,17 +35,19 @@
= csrf_meta_tags unless skip_csrf_meta_tags?
%meta{ name: 'style-nonce', content: request.content_security_policy_nonce }
- :javascript
- var nonce = document.querySelector('meta[name="style-nonce"]').getAttribute('content');
- window.MathJax = {
- chtml: {nonce: nonce},
- tex: {
- processEnvironments: false,
- processRefs: false,
- inlineMath: [['\\(', '\\)']],
- displayMath: [['\\[', '\\]']]
+ %script{ nonce: request.content_security_policy_nonce }
+ :plain
+ var nonce = document.querySelector('meta[name="style-nonce"]').getAttribute('content');
+ window.MathJax = {
+ chtml: {nonce: nonce},
+ tex: {
+ processEnvironments: false,
+ processRefs: false,
+ inlineMath: [['\\(', '\\)']],
+ displayMath: [['\\[', '\\]']]
}
};
+
%script{ src: '/MathJax/es5/tex-chtml.js' }
= stylesheet_link_tag '/inert.css', skip_pipeline: true, media: 'all', id: 'inert-style'
diff --git a/config/initializers/content_security_policy.rb b/config/initializers/content_security_policy.rb
index 9b83fd342c631f..8214844746166b 100644
--- a/config/initializers/content_security_policy.rb
+++ b/config/initializers/content_security_policy.rb
@@ -86,7 +86,7 @@ def sso_host
Rails.application.config.content_security_policy_nonce_generator = ->request { SecureRandom.base64(16) }
-Rails.application.config.content_security_policy_nonce_directives = %w(style-src)
+Rails.application.config.content_security_policy_nonce_directives = %w(style-src script-src)
Rails.application.reloader.to_prepare do
PgHero::HomeController.content_security_policy do |p|
diff --git a/spec/requests/content_security_policy_spec.rb b/spec/requests/content_security_policy_spec.rb
index d327ac1b45d0c3..350442da7df602 100644
--- a/spec/requests/content_security_policy_spec.rb
+++ b/spec/requests/content_security_policy_spec.rb
@@ -21,7 +21,7 @@
"child-src 'self' blob: https://cb6e6126.ngrok.io",
"worker-src 'self' blob: https://cb6e6126.ngrok.io",
"connect-src 'self' blob: data: ws://localhost:4000 https://cb6e6126.ngrok.io",
- "script-src 'self' https://cb6e6126.ngrok.io 'wasm-unsafe-eval'"
+ "script-src 'self' https://cb6e6126.ngrok.io 'wasm-unsafe-eval' 'nonce-ZbA+JmE7+bK8F5qvADZHuQ=='"
)
end
end