fix(csp): passed the nonce to the inline script for rehydrating on the client

travi · travi · commit 04a49a6f9e77 · 2017-02-04T22:44:31.000-06:00
this allows the browser to match the nonce to the one in the csp definition and safely allow the inline script to execute for #918
diff --git a/lib/server/view/layout.mustache b/lib/server/view/layout.mustache
@@ -9,7 +9,7 @@
     </head>
     <body>
         <div id="wrap"><div>{{{ renderedContent }}}</div></div>
-        <script>__INITIAL_STATE__ = '{{{ initialState }}}'; {{#boom}}__BOOM__ = {{/boom}}{{{boom}}}</script>
+        <script nonce="{{ script-nonce }}">__INITIAL_STATE__ = '{{{ initialState }}}'; {{#boom}}__BOOM__ = {{/boom}}{{{boom}}}</script>
         <script src="https://cdn.polyfill.io/v2/polyfill.min.js"> </script>
         <script src="{{ resources.main.js }}"> </script>
     </body>
