Merged
Conversation
Demo
Jenkins 
demos.haus
Contributor
There was a problem hiding this comment.
Pull request overview
Note
Copilot was unable to run its full agentic suite in this review.
Removes the CSP nonce mechanism and updates templates/CSP handling to allow inline scripts without per-request nonces.
Changes:
- Removed CSP nonce generation and template exposure (
CSP_NONCE). - Updated CSP construction logic for scripts and adjusted allowed sources.
- Removed
nonce="{{ CSP_NONCE }}"from a large set of templates’<script>tags.
Reviewed changes
Copilot reviewed 23 out of 23 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| webapp/handlers.py | Removes nonce generation/context and changes CSP generation logic and directives. |
| templates/tutorials/tutorial.html | Removes CSP nonce attributes from inline scripts. |
| templates/store/store.html | Removes CSP nonce from JSON-LD script tag. |
| templates/store/snap-distro-install.html | Removes CSP nonce from JSON-LD script tag. |
| templates/store/snap-details/_templates.html | Removes CSP nonce from template script tags. |
| templates/store/snap-details/_details.html | Removes CSP nonce from inline scripts. |
| templates/store/snap-details/_channel_map.html | Removes CSP nonce from template script tags. |
| templates/store/snap-details.html | Removes CSP nonce from JSON-LD and inline scripts. |
| templates/store/publisher.html | Removes CSP nonce from inline bootstrap script. |
| templates/store/publisher-details.html | Removes CSP nonce from template and inline scripts. |
| templates/shared/contact-form-modal.html | Removes CSP nonce from template script tag. |
| templates/publisher/publicise/store_buttons.html | Removes CSP nonce from inline script. |
| templates/publisher/developer_programme_agreement.html | Removes CSP nonce from inline script. |
| templates/publisher/collaboration.html | Removes CSP nonce from inline bootstrap script. |
| templates/partials/_video.html | Removes CSP nonce from inline script. |
| templates/index.html | Removes CSP nonce from external and inline scripts. |
| templates/docs/document.html | Removes CSP nonce from inline script. |
| templates/blog/index.html | Removes CSP nonce from inline script. |
| templates/blog/article.html | Removes CSP nonce from JSON-LD, template, and inline scripts. |
| templates/admin/admin.html | Removes CSP nonce from inline bootstrap script. |
| templates/about/publish.html | Removes CSP nonce from inline script. |
| templates/_layout-embedded.html | Removes CSP nonce from JSON-LD script tag. |
| templates/_base-layout.html | Removes CSP nonce usage, including GTM nonce propagation and multiple script tags. |
steverydz
force-pushed
the
WD-35631-remove-csp-nonce
branch
from
95b5eed to
66cd9ef
Compare
Copilot
AI
changed the title
chore: Remove CSP nonce
chore: Revert CSP nonce (revert #5568)
Apr 7, 2026
Contributor
|
When I click "Accept all" to accept cookies, I am getting the below errors in my console - it may be an unrelated issue though |
ilayda-cp
reviewed
Apr 7, 2026
| "*.snapcraftcontent.com", | ||
| "marketplace-analytics.staging.canonical.com", | ||
| "marketplace-analytics.canonical.com", | ||
| "www.google.com", |
Contributor
Author
There was a problem hiding this comment.
@ilayda-cp It was only added in the nonce PR but I'll re-add it to be safe
Contributor
|
@abbiesims i think its unrelated because we were getting this issue during work together as well. |
steverydz
force-pushed
the
WD-35631-remove-csp-nonce
branch
from
66cd9ef to
e7675a0
Compare
ilayda-cp
approved these changes
Apr 7, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Done
Reverts the changes introduced in #5568. Removes the CSP nonce mechanism and restores the previous CSP configuration, including
'unsafe-inline'inscript-src-elemfor Google Tag Manager compatibility.import copyandimport secretsgenerate_nonce()before-request handlerCSP_NONCEfrom template context'unsafe-inline'inscript-src-elemadd_script_hashes_and_nonce_to_cspback toadd_script_hashes_to_cspnonce="{{ CSP_NONCE }}"from all affected templatesHow to QA
dotrunContent-Security-Policyresponse headerscript-src-elemcontains'unsafe-inline'and nononce-*valueTesting
Security
Issue / Card
Screenshots
UX Approval