From f3bef4ae25fc5450f1e7acfc24e1172ee465add4 Mon Sep 17 00:00:00 2001
From: Soufiane <soufiane@scinote.net>
Date: Fri, 4 Aug 2023 11:22:33 +0200
Subject: [PATCH] Fix Broken CSP on the shareable links page [SCI-8969] (#5911)

---
 app/views/layouts/shareable_links.html.erb     | 2 +-
 config/initializers/content_security_policy.rb | 4 +++-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/app/views/layouts/shareable_links.html.erb b/app/views/layouts/shareable_links.html.erb
index 28bf040c1..775fde9bb 100644
--- a/app/views/layouts/shareable_links.html.erb
+++ b/app/views/layouts/shareable_links.html.erb
@@ -1,12 +1,12 @@
 <!DOCTYPE html>
 <html>
   <head>
+    <%= csp_meta_tag %>
     <meta data-hook="head-js">
     <title><%=t "head.title", title: (yield :head_title) %></title>
     <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1, user-scalable=no">
     <%= stylesheet_link_tag "tailwind", "data-turbo-track": "reload" %>
     <%= stylesheet_link_tag 'application', media: 'all' %>
-    <%= csp_meta_tag %>
     <%= javascript_include_tag 'jquery_bundle' %>
     <%= javascript_include_tag 'application' %>
     <%= javascript_include_tag 'application_pack' %>
diff --git a/config/initializers/content_security_policy.rb b/config/initializers/content_security_policy.rb
index 48ab4e62c..2217e2721 100644
--- a/config/initializers/content_security_policy.rb
+++ b/config/initializers/content_security_policy.rb
@@ -26,7 +26,9 @@ Rails.application.config.content_security_policy_nonce_generator = -> (request)
   if request.env['HTTP_TURBOLINKS_REFERRER'].present?
     request.env['HTTP_X_TURBOLINKS_NONCE']
   else
-    request.session.id.to_s
+    return request.session.id.to_s if request&.session&.id.present?
+
+    SecureRandom.base64(16)
   end
 end