WEBUI-1282: Allow Content Security Policy without script-src data

addons/nuxeo-csv/elements/nuxeo-document-import-csv.js

@@ -276,7 +276,7 @@ Polymer({
           <template is="dom-if" if="[[!hasFile]]">
             <div class="vertical layout center center-justified flex">
               <div class="dropzone-label horizontal layout center center-justified">
-                <a href="javascript:undefined" on-tap="_showUploadDialog"> [[i18n('csv.import.clickOrDrop')]]</a>
+                <a href="#" on-tap="_showUploadDialog"> [[i18n('csv.import.clickOrDrop')]]</a>
               </div>
             </div>
           </template>
@@ -581,7 +581,8 @@ Polymer({
     }
   },
 
-  _showUploadDialog() {
+  _showUploadDialog(e) {
+    e.preventDefault();
     this.$.uploadFiles.click();
   },
 

addons/nuxeo-liveconnect/elements/nuxeo-liveconnect-box-link.js

@@ -64,7 +64,7 @@ Polymer({
       is-available="{{isProviderAvailable}}"
     ></nuxeo-liveconnect-box-provider>
     <template is="dom-if" if="[[isProviderAvailable]]">
-      <a href="javascript:undefined" on-tap="_openPicker">
+      <a href="#" on-tap="_openPicker">
         <iron-icon src="[[importPath]]images/box.png"></iron-icon>
         [[i18n('liveconnectImportActions.box', 'Box')]]
       </a>
@@ -78,7 +78,8 @@ Polymer({
     this.$.provider.updateProviderInfo();
   },
 
-  _openPicker() {
+  _openPicker(e) {
+    e.preventDefault();
     this.$.provider.openPicker();
   },
 });

addons/nuxeo-liveconnect/elements/nuxeo-liveconnect-google-drive-link.js

@@ -64,7 +64,7 @@ Polymer({
       is-available="{{isProviderAvailable}}"
     ></nuxeo-liveconnect-google-drive-provider>
     <template is="dom-if" if="[[isProviderAvailable]]">
-      <a href="javascript:undefined" on-tap="_openPicker">
+      <a href="#" on-tap="_openPicker">
         <iron-icon src="[[importPath]]images/google_drive.png"></iron-icon>
         [[i18n('liveconnectImportActions.googledrive', 'Google Drive')]]
       </a>
@@ -78,7 +78,8 @@ Polymer({
     this.$.provider.updateProviderInfo();
   },
 
-  _openPicker() {
+  _openPicker(e) {
+    e.preventDefault();
     this.$.provider.openPicker();
   },
 });

elements/nuxeo-selection/nuxeo-selection-toolbar.js

@@ -112,7 +112,7 @@ Polymer({
             <span class="count" aria-live="polite">
               [[i18n('selectionToolbar.selected.items', selectedItems.length)]]
             </span>
-            <a class="selectionLink" on-tap="toogleSelectedItemsPopup" href="javascript:void(0)">
+            <a class="selectionLink" on-tap="toogleSelectedItemsPopup" href="#">
               <span>[[i18n('selectionToolbar.display.selection')]]</span>
             </a>
           </template>
@@ -121,7 +121,7 @@ Polymer({
           <template is="dom-if" if="[[selectAllActive]]">
             <span class="count" aria-live="polite">[[i18n('selectionToolbar.selected.all', _resultsCount)]]</span>
           </template>
-          <a class="selectionLink" on-tap="clearSelection" href="javascript:void(0)">
+          <a class="selectionLink" on-tap="clearSelection" href="#">
             <span>[[i18n('command.clear')]]</span>
           </a>
         </div>
@@ -188,11 +188,13 @@ Polymer({
     this.hidden = !this.selectedItems || this.selectedItems.length === 0;
   },
 
-  toogleSelectedItemsPopup() {
+  toogleSelectedItemsPopup(e) {
+    e.preventDefault();
     this.$$('#selectedItemsPopup').toggle();
   },
 
-  clearSelection() {
+  clearSelection(e) {
+    e.preventDefault();
     this.fire('clear-selected-items');
   },
 });

elements/workflow/nuxeo-document-task.js

@@ -158,7 +158,7 @@ Polymer({
               </div>
             </template>
           </div>
-          <a href="javascript:undefined" on-tap="_toggleGraphDialog" class="view-graph">[[i18n('tasks.viewGraph')]]</a>
+          <a href="#" on-tap="_toggleGraphDialog" class="view-graph">[[i18n('tasks.viewGraph')]]</a>
           <div class="horizontal spaced">
             <span>[[i18n(tasks.directive)]]</span>
           </div>
@@ -314,7 +314,8 @@ Polymer({
       .finally(() => this._setProcessing(false));
   },
 
-  _toggleGraphDialog() {
+  _toggleGraphDialog(e) {
+    e.preventDefault();
     this.$.graph.show();
   },
 

index.html

@@ -89,6 +89,10 @@
     <script src="vendor/web-animations/web-animations-next-lite.min.js"></script>
 
     <script nonce="dummy">
+
+      function generateNonce(){
+        return window.crypto.randomUUID().toString('base64')
+      }
       /* eslint-disable no-var, no-unused-vars */
       var Nuxeo = {
         UI: {
@@ -128,6 +132,7 @@
                 hrefBase: 'elements/search/',
               },
             },
+            nonce: generateNonce()
             /* analytics: {
               documentDistribution: {
                 disableThreshold: 100, // uncomment to set the threshold value that disables the distribution analytics

plugin/web-ui/addon/src/main/resources/web/nuxeo.war/ui/config.jsp

@@ -29,6 +29,7 @@
 var Nuxeo = Nuxeo || {};
 Nuxeo.UI = Nuxeo.UI || {};
 Nuxeo.UI.config = <%= cs.getPropertiesAsJson("org.nuxeo.web.ui") %>;
+Nuxeo.UI.config.nonce = NuxeoNonce;
 Nuxeo.UI.bundles = [
   <% for (Resource resource : wrm.getResources(new ResourceContextImpl(), "web-ui", "import")) { %>
   '<%= context %><%= resource.getURI() %>',

plugin/web-ui/addon/src/main/resources/web/nuxeo.war/ui/index.jsp

@@ -17,6 +17,7 @@ limitations under the License.
 -->
 <%@ page trimDirectiveWhitespaces="true" %>
 <%@ page contentType="text/html; charset=UTF-8" %>
+<%@ page import="java.util.UUID"%>
 <%@ page import="org.nuxeo.common.Environment"%>
 <%@ page import="org.nuxeo.runtime.api.Framework"%>
 <%@ page import="org.nuxeo.ecm.core.api.repository.RepositoryManager"%>
@@ -35,6 +36,7 @@ limitations under the License.
   } else {
     baseUrl = context + "/repo/" + repository + "/ui/";
   }
+  String NX_NONCE_VALUE = UUID.randomUUID().toString();
 %>
 
 <!DOCTYPE html>
@@ -44,6 +46,7 @@ limitations under the License.
   <meta charset="UTF-8">
   <meta name="description" content="">
   <meta name="viewport" content="width=device-width, initial-scale=1">
+  <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'nonce-<%= NX_NONCE_VALUE %>' 'strict-dynamic'; object-src 'none'">
 
   <title><%= Framework.getProperty(Environment.PRODUCT_NAME) %></title>
 
@@ -83,6 +86,10 @@ limitations under the License.
   </style>
 </head>
 
+<script nonce="<%= NX_NONCE_VALUE %>">
+  const NuxeoNonce = "<%= NX_NONCE_VALUE %>";
+</script>
+
 <body>
   <nuxeo-connection url="<%= context %>" repository-name="<%= repository %>"></nuxeo-connection>
   <nuxeo-app base-url="<%= baseUrl %>"
@@ -97,15 +104,15 @@ limitations under the License.
     </div>
   </nuxeo-app>
 
-  <script src="vendor/webcomponentsjs/webcomponents-loader.js"></script>
+  <script src="vendor/webcomponentsjs/webcomponents-loader.js"  nonce="<%= NX_NONCE_VALUE %>"></script>
 
-  <script src="vendor/html-imports/html-imports.min.js"></script>
+  <script src="vendor/html-imports/html-imports.min.js" nonce="<%= NX_NONCE_VALUE %>"></script>
 
-  <script src="vendor/web-animations/web-animations-next-lite.min.js"></script>
+  <script src="vendor/web-animations/web-animations-next-lite.min.js"  nonce="<%= NX_NONCE_VALUE %>"></script>
 
-  <script src="config.jsp"></script>
+  <script src="config.jsp"  nonce="<%= NX_NONCE_VALUE %>"></script>
 
-  <script src="main.bundle.js"></script>
+  <script src="main.bundle.js"  nonce="<%= NX_NONCE_VALUE %>"></script>
 
 </body>