rollbar · waltjones · Dec 11, 2020 · Nov 10, 2020
diff --git a/lib/rollbar/middleware/js.rb b/lib/rollbar/middleware/js.rb
@@ -183,7 +183,6 @@ def rails5_nonce(env)
         req.respond_to?(:content_security_policy) &&
           req.content_security_policy &&
           req.content_security_policy.directives['script-src'] &&
-          !req.content_security_policy.directives['script-src'].include?("'unsafe-inline'") &&
           req.content_security_policy_nonce
       end
 
@@ -224,16 +223,12 @@ def find_csp
         end
 
         def csp_needs_nonce?(csp)
-          !opt_out?(csp) && !unsafe_inline?(csp)
+          !opt_out?(csp)
         end
 
         def opt_out?(_csp)
           raise NotImplementedError
         end
-
-        def unsafe_inline?(csp)
-          csp[:script_src].to_a.include?("'unsafe-inline'")
-        end
       end
 
       class SecureHeadersFalse < SecureHeadersResolver

diff --git a/spec/rollbar/middleware/js_spec.rb b/spec/rollbar/middleware/js_spec.rb
@@ -17,20 +17,6 @@
     expect(new_body).to include(snippet)
   end
 
-  it 'renders the snippet in the response without nonce if SecureHeaders script_src includes \'unsafe-inline\'' do
-    SecureHeadersMocks::CSP.config = {
-      :opt_out? => false,
-      :script_src => %w['unsafe-inline'] # rubocop:disable Lint/PercentStringArray
-    }
-
-    _, _, response = subject.call(env)
-    new_body = response.body.join
-
-    expect(new_body).to include('<script type="text/javascript">')
-    expect(new_body).to include("var _rollbarConfig = #{json_options};")
-    expect(new_body).to include(snippet)
-  end
-
   it 'renders the snippet in the response without nonce if SecureHeaders CSP is OptOut' do
     SecureHeadersMocks::CSP.config = {
       :opt_out? => true

diff --git a/spec/rollbar/plugins/rails_js_spec.rb b/spec/rollbar/plugins/rails_js_spec.rb
@@ -31,8 +31,6 @@ def configure_csp(mode)
         nonce_present
       elsif mode == :script_src_not_present
         script_src_not_present
-      elsif mode == :unsafe_inline
-        unsafe_inline
       else
         raise 'Unknown CSP mode'
       end
@@ -53,14 +51,6 @@ def script_src_not_present
       end
     end
 
-    def unsafe_inline
-      # Browser behavior is undefined when unsafe_inline and the nonce are both present.
-      # The app should never set both, but if they do, our best behavior is to not use the nonce.
-      Rails.application.config.content_security_policy do |policy|
-        policy.script_src :self, :unsafe_inline
-      end
-    end
-
     def nonce(response)
       response.request.content_security_policy_nonce
     end
@@ -107,20 +97,7 @@ def reset_rails_config
       include_examples 'adds the snippet'
     end
 
-    context 'when unsafe_inline is present' do
-      let(:nonce_mode) { :unsafe_inline }
-
-      it 'renders the snippet and config in the response with nonce in script tag' do
-        get '/test_rollbar_js'
-
-        expect(response.body).to_not include %[<script type="text/javascript" nonce="#{nonce(response)}">]
-        expect(response.body).to include '<script type="text/javascript">'
-      end
-
-      include_examples 'adds the snippet'
-    end
-
-    context 'when scp nonce is present' do
+    context 'when CSP nonce is present' do
       let(:nonce_mode) { :nonce_present }
 
       it 'renders the snippet and config in the response with nonce in script tag' do