From aab635154af9615b160747f6a14391fd603843e4 Mon Sep 17 00:00:00 2001
From: snipe <snipe@snipe.net>
Date: Mon, 2 Oct 2017 13:29:14 -0700
Subject: [PATCH 1/2] Default to turning CSP off until we can fix vue/CSP
 issues

---
 app/Http/Middleware/ContentSecurityPolicyHeader.php | 4 ++--
 config/app.php                                      | 2 +-
 resources/views/layouts/default.blade.php           | 4 ++--
 3 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/app/Http/Middleware/ContentSecurityPolicyHeader.php b/app/Http/Middleware/ContentSecurityPolicyHeader.php
index dd0d39cf36..05eb73ed9d 100644
--- a/app/Http/Middleware/ContentSecurityPolicyHeader.php
+++ b/app/Http/Middleware/ContentSecurityPolicyHeader.php
@@ -14,14 +14,14 @@ class ContentSecurityPolicyHeader
      */
     public function handle($request, Closure $next)
     {
-        if ((config('app.debug')=='true')  || (config('app.disable_csp')=='true')) {
+        if ((config('app.debug')=='true')  || (config('app.enable_csp')!='true')) {
             $response = $next($request);
             return $response;
         }
 
         $policy[] = "default-src 'self'";
         $policy[] = "style-src 'self' 'unsafe-inline' oss.maxcdn.com";
-        $policy[] = "script-src 'self' oss.mafxcdn.com cdnjs.cloudflare.com 'nonce-".csrf_token()."'";
+        $policy[] = "script-src 'self' 'unsafe-inline' oss.mafxcdn.com cdnjs.cloudflare.com 'nonce-".csrf_token()."'";
         $policy[] = "connect-src 'self'";
         $policy[] = "object-src 'none'";
         $policy[] = "font-src 'self' data:";
diff --git a/config/app.php b/config/app.php
index e2dc3682b9..43f851abd2 100755
--- a/config/app.php
+++ b/config/app.php
@@ -183,7 +183,7 @@ return [
     |
     */
 
-    'disable_csp' => env('DISABLE_CSP', false),
+    'enable_csp' => env('ENABLE_CSP', false),
 
 
 
diff --git a/resources/views/layouts/default.blade.php b/resources/views/layouts/default.blade.php
index 808f18de46..ab87ce569d 100644
--- a/resources/views/layouts/default.blade.php
+++ b/resources/views/layouts/default.blade.php
@@ -84,8 +84,8 @@
             <script src="https://oss.maxcdn.com/respond/1.4.2/respond.min.js" integrity="sha384-ZoaMbDF+4LeFxg6WdScQ9nnR1QC2MIRxA1O9KWEXQwns1G8UNyIEZIQidzb0T1fo" crossorigin="anonymous"></script>
 
        @else
-            <script src="{{ url(asset('js/html5shiv.js')) }}"></script>
-            <script src="{{ url(asset('js/respond.js')) }}"></script>
+            <script src="{{ url(asset('js/html5shiv.js')) }}" nonce="{{ csrf_token() }}"></script>
+            <script src="{{ url(asset('js/respond.js')) }}" nonce="{{ csrf_token() }}"></script>
        @endif
        <![endif]-->
   </head>

From 7a27fda083e38984959d91249230c8c091013f3f Mon Sep 17 00:00:00 2001
From: snipe <snipe@snipe.net>
Date: Mon, 2 Oct 2017 13:29:42 -0700
Subject: [PATCH 2/2] Update example env with CSP default

---
 .env.example | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.env.example b/.env.example
index 936eb4b29d..04f13a4c3a 100644
--- a/.env.example
+++ b/.env.example
@@ -69,7 +69,7 @@ SECURE_COOKIES=false
 # OPTIONAL: SECURITY HEADER SETTINGS
 # --------------------------------------------
 REFERRER_POLICY=strict-origin
-DISABLE_CSP=false
+ENABLE_CSP=false
 
 
 # --------------------------------------------