Merge branch 'develop'

.env.example

@@ -69,7 +69,7 @@ SECURE_COOKIES=false
 # OPTIONAL: SECURITY HEADER SETTINGS
 # --------------------------------------------
 REFERRER_POLICY=strict-origin
-DISABLE_CSP=false
+ENABLE_CSP=false
 
 
 # --------------------------------------------

app/Http/Middleware/ContentSecurityPolicyHeader.php

@@ -14,14 +14,14 @@ class ContentSecurityPolicyHeader
      */
     public function handle($request, Closure $next)
     {
-        if ((config('app.debug')=='true')  || (config('app.disable_csp')=='true')) {
+        if ((config('app.debug')=='true')  || (config('app.enable_csp')!='true')) {
             $response = $next($request);
             return $response;
         }
 
         $policy[] = "default-src 'self'";
         $policy[] = "style-src 'self' 'unsafe-inline' oss.maxcdn.com";
-        $policy[] = "script-src 'self' oss.mafxcdn.com cdnjs.cloudflare.com 'nonce-".csrf_token()."'";
+        $policy[] = "script-src 'self' 'unsafe-inline' oss.mafxcdn.com cdnjs.cloudflare.com 'nonce-".csrf_token()."'";
         $policy[] = "connect-src 'self'";
         $policy[] = "object-src 'none'";
         $policy[] = "font-src 'self' data:";

config/app.php

@@ -183,7 +183,7 @@ return [
     |
     */
 
-    'disable_csp' => env('DISABLE_CSP', false),
+    'enable_csp' => env('ENABLE_CSP', false),
 
 
 

resources/views/layouts/default.blade.php

@@ -84,8 +84,8 @@
             <script src="https://oss.maxcdn.com/respond/1.4.2/respond.min.js" integrity="sha384-ZoaMbDF+4LeFxg6WdScQ9nnR1QC2MIRxA1O9KWEXQwns1G8UNyIEZIQidzb0T1fo" crossorigin="anonymous"></script>
 
        @else
-            <script src="{{ url(asset('js/html5shiv.js')) }}"></script>
+            <script src="{{ url(asset('js/html5shiv.js')) }}" nonce="{{ csrf_token() }}"></script>
-            <script src="{{ url(asset('js/respond.js')) }}"></script>
+            <script src="{{ url(asset('js/respond.js')) }}" nonce="{{ csrf_token() }}"></script>
        @endif
        <![endif]-->
   </head>