From 18f383c543e40c0200d183eaa5e416347cf0df41 Mon Sep 17 00:00:00 2001
From: Soufiane <soufiane@scinote.net>
Date: Fri, 14 Jul 2023 15:38:00 +0200
Subject: [PATCH] Update CSP script-src-elem [SCI-8634] (#5775)

---
 config/initializers/content_security_policy.rb | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/config/initializers/content_security_policy.rb b/config/initializers/content_security_policy.rb
index 087a331d7..09e47902d 100644
--- a/config/initializers/content_security_policy.rb
+++ b/config/initializers/content_security_policy.rb
@@ -12,7 +12,7 @@ ActiveSupport::Reloader.to_prepare do
     policy.img_src     :self, :https, :data, :blob
     policy.object_src  :none
     policy.script_src  :self, :unsafe_eval
-    policy.script_src_elem :self, *Extends::EXTERNAL_SERVICES
+    policy.script_src_elem :self, :unsafe_eval, *Extends::EXTERNAL_SERVICES
     policy.style_src   :self, :https, :unsafe_inline, :data
     policy.connect_src :self, :data, *Extends::EXTERNAL_SERVICES
 
@@ -32,7 +32,7 @@ Rails.application.config.content_security_policy_nonce_generator = -> (request)
 end
 
 # Set the nonce only to specific directives
-Rails.application.config.content_security_policy_nonce_directives = %w(script-src)
+Rails.application.config.content_security_policy_nonce_directives = %w(script-src script-src-elem)
 
 # Report CSP violations to a specified URI
 # For further information see the following documentation: