Issue with CSP, nonce parameter, firefox #349
Description
Hello.
There is a issue with Content Security Policy set in ownnote application that at least happens in Firefox 59 (Nightly) browser.
By default when I try to open edit form for some note CSP (through dev tools) looks like this
default-src 'none';base-uri 'none';manifest-src 'self';script-src 'nonce-enFqb0M3QjdsYnlqWFdxVGY2cDJPUEdZbGxCNlVaMm5Oc3pBdW9INmtvbz06aCtXYmF0cyt3UHYxTDFLOEc4c1NDb2VwOFNBNWFONldXWUdZNnVpTzBNQT0=' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self'
So there is a lot of error messages in browser console like this.
Content Security Policy: The page’s settings blocked the loading of a resource at https://[server name]/nextcloud/apps/ownnote/js/tinymce/plugins/autoresize/plugin.min.js (“script-src 'nonce-Mlp3OFBpQk12YzhobVpXV1FlOXRmc0pkb0VpMEF4SElmWFRERkNlVGR1ND06a05GUFgwc0o2SWgzNjYyNUpZNEpUTFJzeHpqM09sTDVFam1iUkU3bk5LUT0=' 'unsafe-eval'”).
And edit form/controls/UI not loaded/empty
I have found a workaround that if to change browsers useragent string to for example this one
Mozilla/5.0 (X11; Linux x86_64; rv:55.0) Gecko/20100101 Firefox/55.2.2 Waterfox/55.2.2
then nonce parameter dissapears from the CSP
default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self'
and notes opens in edit mode correctly.