From 1101558fcaec06b32d4d0ae6d28d160cd5339da5 Mon Sep 17 00:00:00 2001
From: Jared Vititoe <jjvititoe1@gmail.com>
Date: Thu, 29 Jan 2026 10:46:06 -0500
Subject: [PATCH] Remove nonce from CSP to allow unsafe-inline to work

Browsers ignore 'unsafe-inline' when a nonce is present. Reverting to
unsafe-inline only until all inline handlers are refactored.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 middleware/SecurityHeadersMiddleware.php | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/middleware/SecurityHeadersMiddleware.php b/middleware/SecurityHeadersMiddleware.php
index 497c8ea..90bd8e8 100644
--- a/middleware/SecurityHeadersMiddleware.php
+++ b/middleware/SecurityHeadersMiddleware.php
@@ -26,10 +26,12 @@ class SecurityHeadersMiddleware {
         $nonce = self::getNonce();
 
         // Content Security Policy - restricts where resources can be loaded from
-        // Nonces are used for <script> tags, but 'unsafe-inline' is needed for legacy onclick handlers
-        // TODO: Refactor all inline event handlers (onclick, etc.) to use addEventListener,
-        //       then remove 'unsafe-inline' from script-src for full CSP protection
-        header("Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'nonce-{$nonce}'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self'; connect-src 'self';");
+        // Currently using 'unsafe-inline' for scripts due to legacy onclick handlers throughout views
+        // NOTE: Nonce infrastructure exists (getNonce method, nonce attributes in views) but is not
+        // enforced in CSP until all inline handlers are refactored to use addEventListener.
+        // TODO: Complete refactoring of inline handlers, then change to:
+        //       script-src 'self' 'nonce-{$nonce}' (removing unsafe-inline)
+        header("Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self'; connect-src 'self';");
 
         // Prevent clickjacking by disallowing framing
         header("X-Frame-Options: DENY");