Index: openacs-4/packages/acs-templating/tcl/head-procs.tcl =================================================================== RCS file: /usr/local/cvsroot/openacs-4/packages/acs-templating/tcl/head-procs.tcl,v diff -u -r1.20.2.4 -r1.20.2.5 --- openacs-4/packages/acs-templating/tcl/head-procs.tcl 9 Sep 2016 08:12:25 -0000 1.20.2.4 +++ openacs-4/packages/acs-templating/tcl/head-procs.tcl 12 Sep 2016 10:30:46 -0000 1.20.2.5 @@ -413,6 +413,18 @@ if {$src eq "" && $script eq ""} { error "You must supply either -src or -script." } + + if {$script ne ""} { + # + # For the time being, not all browsers support + # nonces. According to the spects the added 'unsafe-inline', + # is ignored on browsers supporting nonces. + # + # We could restrict setting of unsafe-inline to certain + # browsers by checking the user agent. + # + security::csp::require script-src 'unsafe-inline' + } lappend ::template::body_scripts $type $src $charset $defer $async $script $crossorigin $integrity }