From 4808f6438c0da1b6f659cbb8ab74b73c294fa46f Mon Sep 17 00:00:00 2001
From: Soufiane <soufiane@scinote.net>
Date: Mon, 17 Jul 2023 11:26:41 +0200
Subject: [PATCH] Fix CSP script-src [SCI-8634] (#5781)

---
 config/initializers/content_security_policy.rb | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/config/initializers/content_security_policy.rb b/config/initializers/content_security_policy.rb
index 09e47902d..48ab4e62c 100644
--- a/config/initializers/content_security_policy.rb
+++ b/config/initializers/content_security_policy.rb
@@ -11,8 +11,7 @@ ActiveSupport::Reloader.to_prepare do
     policy.font_src    :self, :https, :data
     policy.img_src     :self, :https, :data, :blob
     policy.object_src  :none
-    policy.script_src  :self, :unsafe_eval
-    policy.script_src_elem :self, :unsafe_eval, *Extends::EXTERNAL_SERVICES
+    policy.script_src  :self, :unsafe_eval, *Extends::EXTERNAL_SERVICES
     policy.style_src   :self, :https, :unsafe_inline, :data
     policy.connect_src :self, :data, *Extends::EXTERNAL_SERVICES
 
@@ -32,7 +31,7 @@ Rails.application.config.content_security_policy_nonce_generator = -> (request)
 end
 
 # Set the nonce only to specific directives
-Rails.application.config.content_security_policy_nonce_directives = %w(script-src script-src-elem)
+Rails.application.config.content_security_policy_nonce_directives = %w(script-src)
 
 # Report CSP violations to a specified URI
 # For further information see the following documentation: