chore: Remove CSP nonce

steverydz · steverydz · commit e7675a0c417a · 2026-04-07T13:02:39.000+01:00
diff --git a/templates/_base-layout.html b/templates/_base-layout.html
@@ -14,19 +14,18 @@
     <link rel="preload" href="https://assets.ubuntu.com/v1/9689339a-snapcraft-hero-background--light.png" as="image">
 
     <!-- Google Tag Manager -->
-    <script nonce="{{ CSP_NONCE }}">(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':
+    <script>(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':
     new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],
     j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src=
-    'https://www.googletagmanager.com/gtm.js?id='+i+dl;var n=d.querySelector('[nonce]');
-    n&&j.setAttribute('nonce',n.nonce||n.getAttribute('nonce'));f.parentNode.insertBefore(j,f);
+    'https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);
     })(window,document,'script','dataLayer','GTM-KCGXHQS');</script>
     <!-- End Google Tag Manager -->
 
     {{ vite_import('static/sass/styles.scss') }}
 
     {{ vite_import('static/js/base/base.ts') }}
     {% block scripts_includes %}{% endblock %}
-    <script src="https://assets.ubuntu.com/v1/703e23c9-lazysizes+noscript+native-loading.5.1.2.min.js" defer nonce="{{ CSP_NONCE }}"></script>
+    <script src="https://assets.ubuntu.com/v1/703e23c9-lazysizes+noscript+native-loading.5.1.2.min.js" defer></script>
 
     <meta name="description" content="{% block meta_description %}Snaps are containerised software packages that are simple to create and install. They auto-update and are safe to run. And because they bundle their dependencies, they work on all major Linux systems without modification.{% endblock %}">
     <meta name="copydoc" content="{% block meta_copydoc %}{% endblock %}">
@@ -81,14 +80,14 @@
 
     {% block scripts %}{% endblock %}
 
-    <script nonce="{{ CSP_NONCE }}">
+    <script>
       window.COMMIT_ID = "{{ COMMIT_ID }}";
       window.ENVIRONMENT = "{{ ENVIRONMENT }}";
       window.SENTRY_DSN = "{{ SENTRY_DSN }}";
       window.ANALYTICS_ENDPOINT = "{{ ANALYTICS_ENDPOINT }}";
     </script>
 
-  <script type="application/ld+json" nonce="{{ CSP_NONCE }}">
+  <script type="application/ld+json">
       {
         "@context": "http://schema.org/",
         "@id": "https://snapcraft.io/#organization",
@@ -107,7 +106,7 @@
       }
     </script>
 
-    <script type="application/ld+json" nonce="{{ CSP_NONCE }}">
+    <script type="application/ld+json">
       {
         "@context": "http://schema.org",
         "@id": "https://snapcraft.io/#website",
diff --git a/templates/_layout-embedded.html b/templates/_layout-embedded.html
@@ -45,7 +45,7 @@
 
     {% block scripts %}{% endblock %}
 
-    <script type="application/ld+json" nonce="{{ CSP_NONCE }}">
+    <script type="application/ld+json">
       {
         "@context": "http://schema.org/",
         "@id": "https://snapcraft.io/#organization",
diff --git a/templates/about/publish.html b/templates/about/publish.html
@@ -196,7 +196,7 @@ <h3 class="p-heading--5">Trave CI, Circle CI and GitHub Actions are all supporte
 {% endblock %}
 
 {% block scripts %}
-<script nonce="{{ CSP_NONCE }}">
+<script>
   window.addEventListener("DOMContentLoaded", function () {
     try {
       snapcraft.about.initFSFLanguageSelect(document.querySelector('.js-fsf-language-select'));
diff --git a/templates/admin/admin.html b/templates/admin/admin.html
@@ -6,7 +6,7 @@
 <div id="root">
 </div>
 
-<script nonce="{{ CSP_NONCE }}">
+<script>
   window.CSRF_TOKEN = "{{ csrf_token() }}";
   window.SENTRY_DSN = "{{ SENTRY_DSN }}";
   window.API_URL = "{{ api_url }}";
diff --git a/templates/blog/article.html b/templates/blog/article.html
@@ -9,7 +9,7 @@
 {% endif %}
 
 {% block meta_schema %}
-<script type="application/ld+json" nonce="{{ CSP_NONCE }}">
+<script type="application/ld+json">
     {
       "@context": "http://schema.org",
       "@id": "https://snapcraft.io/#article",
@@ -98,7 +98,7 @@ <h4>
   </section>
 {% endif %}
 
-<script type="text/template" id="blog-series-item-template" nonce="{{ CSP_NONCE }}">
+<script type="text/template" id="blog-series-item-template">
   <li class="p-list__item">
     <h5>
       <a href="/blog/${slug}" class="p-blog-list__item ${className}">
@@ -114,7 +114,7 @@ <h5>
 {% endblock %}
 
 {% block scripts %}
-  <script nonce="{{ CSP_NONCE }}">
+  <script>
     window.addEventListener("DOMContentLoaded", function() {
       try {
         {% if is_in_series %}
diff --git a/templates/blog/index.html b/templates/blog/index.html
@@ -148,7 +148,7 @@ <h5 class="p-notification__title">Success</h5>
 {% endblock %}
 
 {% block scripts %}
-  <script nonce="{{ CSP_NONCE }}">
+  <script>
     window.addEventListener("DOMContentLoaded", function() {
       try {
         {% if categories %}
diff --git a/templates/docs/document.html b/templates/docs/document.html
@@ -161,7 +161,7 @@ <h4 class="p-table-of-contents__header">On this page</h4>
 {% endblock %}
 
 {% block scripts %}
-<script nonce="{{ CSP_NONCE }}">
+<script>
   window.addEventListener("DOMContentLoaded", function() {
     try {
        // Based on Vanilla side navigation example
diff --git a/templates/index.html b/templates/index.html
@@ -164,12 +164,12 @@ <h2>Measure user growth</h2>
 {{ vite_import('static/js/public/homepage.ts') }}
 {{ vite_import('static/js/public/featured-snaps.ts') }}
 {% if nps %}
-<script src="//app-sjg.marketo.com/js/forms2/js/forms2.min.js" defer nonce="{{ CSP_NONCE }}"></script>
+<script src="//app-sjg.marketo.com/js/forms2/js/forms2.min.js" defer></script>
 {% endif %}
 {% endblock %}
 
 {% block scripts %}
-<script nonce="{{ CSP_NONCE }}">
+<script>
   window.addEventListener("DOMContentLoaded", function () {
     try {
       snapcraft.public.homepage.initFSFLanguageSelect();
diff --git a/templates/partials/_video.html b/templates/partials/_video.html
@@ -15,7 +15,7 @@
   <div id="asciicastplayer"></div>
 {% endif %}
 
-<script nonce="{{ CSP_NONCE }}">
+<script>
   document.addEventListener("DOMContentLoaded", function() {
     const vimeoplayerFrame = document.getElementById("vimeoplayer");
     const asciicastplayerFrame = document.getElementById("asciicastplayer");
diff --git a/templates/publisher/collaboration.html b/templates/publisher/collaboration.html
@@ -6,7 +6,7 @@
 
 {% block content %}
 <main id="main-content"></main>
-<script nonce="{{ CSP_NONCE }}">
+<script>
   window.SENTRY_DSN = "{{ SENTRY_DSN }}";
   window.CSRF_TOKEN = "{{ csrf_token() }}";
   window.data = JSON.parse({{ collaborations_data|tojson }});
diff --git a/templates/publisher/developer_programme_agreement.html b/templates/publisher/developer_programme_agreement.html
@@ -43,7 +43,7 @@ <h2 class="p-heading--4">Snap Store Terms of Service and Privacy Notice</h2>
 {% endblock %}
 
 {% block scripts %}
-<script nonce="{{ CSP_NONCE }}">
+<script>
   window.addEventListener("DOMContentLoaded", function() {
     try {
       var checkbox = document.querySelector('#id_i_agree');
diff --git a/templates/publisher/publicise/store_buttons.html b/templates/publisher/publicise/store_buttons.html
@@ -134,7 +134,7 @@ <h4>Promote your snap using Snap Store badges</h4>
 {% endblock %}
 
 {% block scripts %}
-  <script nonce="{{ CSP_NONCE }}">
+  <script>
     window.addEventListener("DOMContentLoaded", function() {
       try {
         snapcraft.publisher.publicise.initSnapButtonsPicker();
diff --git a/templates/shared/contact-form-modal.html b/templates/shared/contact-form-modal.html
@@ -8,7 +8,7 @@ <h2 class="p-modal__title">Contact us</h2>
   </section>
 </div>
 
-<script type="text/template" id="contactFormTemplate" nonce="{{ CSP_NONCE }}">
+<script type="text/template" id="contactFormTemplate">
   {% with formid="{{formid}}",
    product="appstore",
    returnURL="https://snapcraft.io/about/thank-you" %}
diff --git a/templates/store/publisher-details.html b/templates/store/publisher-details.html
@@ -170,7 +170,7 @@ <h5 class="p-notification__title">Error</h5>
   {% set article_title = {'rendered': '${title}'} %}
   {% set article = {'slug': '${slug}', 'title': article_title} %}
   {% if blog_slug %}
-    <script type="text/template" id="blog-article-template" nonce="{{ CSP_NONCE }}">
+    <script type="text/template" id="blog-article-template">
       {% include 'partials/blog-card--minimal.html' %}
     </script>
   {% endif %}
@@ -185,7 +185,7 @@ <h5 class="p-notification__title">Error</h5>
 
 {% block scripts %}
   {% if blog_slug %}
-    <script nonce="{{ CSP_NONCE }}">
+    <script>
       window.addEventListener("DOMContentLoaded", function() {
         try {
           snapcraft.public.publisherDetails.snapDetailsPosts('[data-js="blog-article-list"]', '#blog-article-template', '[data-js="blog-articles"]');
diff --git a/templates/store/publisher.html b/templates/store/publisher.html
@@ -4,7 +4,7 @@
 {% block content %}
 <div id="root">
 </div>
-<script nonce="{{ CSP_NONCE }}">
+<script>
   window.CSRF_TOKEN = "{{ csrf_token() }}";
 </script>
 {{ vite_import('static/js/publisher/index.tsx') }}
diff --git a/templates/store/snap-details.html b/templates/store/snap-details.html
@@ -19,7 +19,7 @@
 {% endblock %}
 
 {% block meta_schema %}
-  <script type="application/ld+json" nonce="{{ CSP_NONCE }}">
+  <script type="application/ld+json">
     {
       "@context": "https://schema.org",
       "@type": "SoftwareApplication",
@@ -348,7 +348,7 @@ <h5 class="p-notification__title">Error</h5>
 {% endblock %}
 
 {% block scripts %}
-  <script nonce="{{ CSP_NONCE }}">
+  <script>
     window.addEventListener("DOMContentLoaded", function() {
       try {
         snapcraft.public.storeDetails.initExpandableArea();
diff --git a/templates/store/snap-details/_channel_map.html b/templates/store/snap-details/_channel_map.html
@@ -159,7 +159,7 @@
   </div>
 </div>
 
-<script type="text/template" id="install-window-template" data-js="install-window" nonce="{{ CSP_NONCE }}">
+<script type="text/template" id="install-window-template" data-js="install-window">
   <div class="u-fixed-width">
     <a href="#" data-js="slide-all-versions">&lsaquo; All versions</a>
   </div>
@@ -189,7 +189,7 @@
   </div>
 </script>
 
-<script type="text/template" id="channel-map-row-template" data-js="channel-map-row" nonce="{{ CSP_NONCE }}">
+<script type="text/template" id="channel-map-row-template" data-js="channel-map-row">
   <tr class="${rowClass}" data-js="slide-install-instructions" data-channel="${row[0]}/${row[1]}" data-confinement="${row[4]}">
     <td>${row[0]}/${row[1]}</td>
     <td>${row[2]}</td>
@@ -198,7 +198,7 @@
   </tr>
 </script>
 
-<script type="text/template" id="channel-map-security-table-row-template" data-js="channel-map-security-table-row" nonce="{{ CSP_NONCE }}">
+<script type="text/template" id="channel-map-security-table-row-template" data-js="channel-map-security-table-row">
   <tr>
     <td>${row[0]}/${row[1]}</td>
     <td>${row[2]}</td>
diff --git a/templates/store/snap-details/_details.html b/templates/store/snap-details/_details.html
@@ -117,7 +117,7 @@ <h3 class="p-muted-heading">Command &rsaquo; Alias</h3>
     </ul>
     <hr class="p-rule--muted">
 
-    <script nonce="{{ CSP_NONCE }}">
+    <script>
       // Handle aliases "show more" button
       const list = document.querySelector(".js-expandable-list");
       const showMoreButton = document.querySelector(".js-toggle-full-list");
@@ -182,7 +182,7 @@ <h2 class="p-modal__title" id="modal-title"><i class="p-icon--warning" style="wi
 from the upstream project.{%- endif -%}</span>
   </template>
 
-  <script nonce="{{ CSP_NONCE }}">
+  <script>
     // Handle verified domain status
     const primaryDomainListItem = document.querySelector("[data-js='primary-domain']");
 
diff --git a/templates/store/snap-details/_templates.html b/templates/store/snap-details/_templates.html
@@ -2,19 +2,19 @@
 {% set article_title = {'rendered': '${title}'} %}
 {% set article = {'slug': '${slug}', 'title': article_title, 'image': '${image}'} %}
 {% set container_class = "${container_class}" %}
-<script type="text/template" id="blog-article-template" nonce="{{ CSP_NONCE }}">
+<script type="text/template" id="blog-article-template">
   {% include 'partials/blog-card--minimal.html' %}
 </script>
 
 {% set video = {'type': 'youtube', 'url': '${url}', 'id': '${id}'} %}
-<script type="text/template" id="video-youtube-template" nonce="{{ CSP_NONCE }}">
+<script type="text/template" id="video-youtube-template">
   {% include 'partials/_video.html' %}
 </script>
 {% set video = {'type': 'vimeo', 'url': '${url}', 'id': '${id}'} %}
-<script type="text/template" id="video-vimeo-template" nonce="{{ CSP_NONCE }}">
+<script type="text/template" id="video-vimeo-template">
   {% include 'partials/_video.html' %}
 </script>
 {% set video = {'type': 'asciinema', 'url': '${url}', 'id': '${id}'} %}
-<script type="text/template" id="video-asciinema-template" nonce="{{ CSP_NONCE }}">
+<script type="text/template" id="video-asciinema-template">
   {% include 'partials/_video.html' %}
 </script>
diff --git a/templates/store/snap-distro-install.html b/templates/store/snap-distro-install.html
@@ -20,7 +20,7 @@
 {% endblock %}
 
 {% block meta_schema %}
-  <script type="application/ld+json" nonce="{{ CSP_NONCE }}">
+  <script type="application/ld+json">
     {
       "@context": "https://schema.org",
       "@type": "SoftwareApplication",
diff --git a/templates/store/store.html b/templates/store/store.html
@@ -7,7 +7,7 @@
 {% block meta_description %}Find and install the best Linux software for all major Linux distributions.{% endblock %}
 
 {% block meta_schema %}
-  <script type="application/ld+json" nonce="{{ CSP_NONCE }}">
+  <script type="application/ld+json">
     {
       "@context": "http://schema.org",
       "@id": "https://snapcraft.io/#website",
diff --git a/templates/tutorials/tutorial.html b/templates/tutorials/tutorial.html
@@ -121,7 +121,7 @@ <h2 class="p-heading--3">{{ loop.index }}. {{ section["title"]}}</h2>
 </div>
 
 <!-- end of tutorial feedback -->
-<script nonce="{{ CSP_NONCE }}">
+<script>
   (function () {
     var tutorialFeedbackOptions = document.querySelector('.p-tutorial__feedback-options');
     var tutorialFeedbackIcons = document.querySelectorAll('.p-tutorial__feedback-icon');
@@ -145,7 +145,7 @@ <h2 class="p-heading--3">{{ loop.index }}. {{ section["title"]}}</h2>
   })();
 </script>
 
-<script nonce="{{ CSP_NONCE }}">
+<script>
   (function () {
     function setActiveLink(navigationItems) {
       [].forEach.call(navigationItems, function (item) {
@@ -193,7 +193,7 @@ <h2 class="p-heading--3">{{ loop.index }}. {{ section["title"]}}</h2>
   })();
 </script>
 
-<script nonce="{{ CSP_NONCE }}">
+<script>
   (function () {
     var polls = document.querySelectorAll('.poll');
 
@@ -220,7 +220,7 @@ <h2 class="p-heading--3">{{ loop.index }}. {{ section["title"]}}</h2>
   })();
 </script>
 
-<script nonce="{{ CSP_NONCE }}">
+<script>
   (function () {
     var toggleSidebar = document.querySelector('.p-sidebar__toggle');
     var sidebar = document.querySelector('.p-sidebar__content');
diff --git a/webapp/handlers.py b/webapp/handlers.py

Original file line number	Diff line number	Diff line change
`@@ -45,7 +45,7 @@`
`45`	`45`
`46`	`46`	`{% block scripts %}{% endblock %}`
`47`	`47`
`48`		`- <script type="application/ld+json" nonce="{{ CSP_NONCE }}">`
	`48`	`+ <script type="application/ld+json">`
`49`	`49`	`{`
`50`	`50`	`"@context": "http://schema.org/",`
`51`	`51`	`"@id": "https://snapcraft.io/#organization",`