fixup! Content Security Policy (CSP) Not Implemented (DataBiosphere/a…

…zul-private#6)

src/azul/chalice.py

@@ -478,14 +478,13 @@ def _controller(self, controller_cls: Type[C], **kwargs) -> C:
     def content_security_policy(self, nonce: str | None = None) -> str:
         self_ = sq('self')
         none = sq('none')
-        if nonce is not None:
-            nonce = sq('nonce-' + nonce)
+        nonce = [] if nonce is None else [sq('nonce-' + nonce)]
 
         return ';'.join([
             jw('default-src', self_),
             jw('img-src', self_, 'data:'),
-            jw('script-src', self_, nonce),
-            jw('style-src', self_, nonce),
+            jw('script-src', self_, *nonce),
+            jw('style-src', self_, *nonce),
             jw('frame-ancestors', none),
         ])
 

src/azul/strings.py

@@ -236,11 +236,11 @@ def jl(*lines: str) -> str:
     return '\n'.join(lines)
 
 
-def jw(*words: str | None) -> str:
+def jw(*words: str) -> str:
     """
     Return a space-separated string.
     """
-    return ' '.join(filter(None, words))
+    return ' '.join(words)
 
 
 def surround(string: str, end: str) -> str:

swagger/oauth2-redirect.html.template.mustache

@@ -66,10 +66,10 @@
         }
         window.close();
     }
-    // The CSP blocks JS event handlers from inline HTML markup, so the call to
-    // run() was moved here as a workaround instead of calling it from the body
-    // tag's onload property.
-    window.onload=function() {
+    // The CSP blocks JS event handlers from inline HTML markup, so instead of
+    // calling run() from the body tag's onload property, as a workaround it
+    // is added here with an event listener.
+    window.addEventListener("load", function() {
         run();
-    }
+    });
 </script>