From 03c8994be40f2025664a66ae76aa927567efb6b2 Mon Sep 17 00:00:00 2001
From: Kumar Rishav <rishav006@gmail.com>
Date: Thu, 21 Sep 2017 15:12:07 +0530
Subject: [PATCH 1/5] added nonce to the script tag

---
 lib/server.js | 20 +++++++++++++++++++-
 1 file changed, 19 insertions(+), 1 deletion(-)

diff --git a/lib/server.js b/lib/server.js
index 109519f..4622e8e 100644
--- a/lib/server.js
+++ b/lib/server.js
@@ -35,6 +35,11 @@ var TEMPLATE = ['<script id="%s" type="application/javascript">var ',
                 ' = %s;</script>'
               ].join('');
 
+var TEMPLATE_WITH_NONCE = ['<script id="%s" nonce="%s" type="application/javascript">var ',
+                Config.client.variableName,
+                ' = %s;</script>'
+              ].join('');
+
 exports.create = function create(createOptions) {
 
   createOptions = createOptions || {};
@@ -123,7 +128,20 @@ exports.create = function create(createOptions) {
       html += React.renderToString(componentInstance);
 
       // state (script) injection
-      var script = format(TEMPLATE, Config.client.markupId, JSON.stringify(data));
+      //add nonce to the script tag for unsafe-inline;
+      var script = options.nonce
+        ? format(
+            TEMPLATE_WITH_NONCE,
+            Config.client.markupId,
+            options.nonce,
+            JSON.stringify(data)
+          )
+        : format(
+            TEMPLATE,
+            Config.client.markupId,
+            JSON.stringify(data)
+          );
+      
       html = html.replace('</body>', script + '</body>');
 
       return done(null, html);

From 769293b9b6fe21277d5fe89e0a41139dba86680e Mon Sep 17 00:00:00 2001
From: Kumar Rishav <rishav006@gmail.com>
Date: Thu, 21 Sep 2017 15:14:51 +0530
Subject: [PATCH 2/5] Update README.md

added the nonce info to the README
---
 README.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/README.md b/README.md
index bd0ef68..126f8e5 100644
--- a/README.md
+++ b/README.md
@@ -142,6 +142,7 @@ var engine = require('react-engine').server.create({
 * In development mode, views are automatically reloaded before render. So there is no need to restart the server for seeing the changes.
 * You can use `js` as the engine if you decide not to write your react views in `jsx`.
 * [Blog on react-engine](https://www.paypal-engineering.com/2015/04/27/isomorphic-react-apps-with-react-engine/)
+* You can add [nonce](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src#Unsafe_inline_script) in `_locals`, which will be added in `script` tag that gets injected into the server rendered pages, like `res.locals.nonce = 'nonce value'`
 
 ### License
 [Apache Software License v2.0](http://www.apache.org/licenses/LICENSE-2.0)

From 2bd5519685849ab702dbbf1d2f9f36752eb8dc67 Mon Sep 17 00:00:00 2001
From: Kumar Rishav <rishav006@gmail.com>
Date: Thu, 21 Sep 2017 16:03:38 +0530
Subject: [PATCH 3/5] Update server.js

---
 lib/server.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/server.js b/lib/server.js
index 4622e8e..2c210b4 100644
--- a/lib/server.js
+++ b/lib/server.js
@@ -141,7 +141,7 @@ exports.create = function create(createOptions) {
             Config.client.markupId,
             JSON.stringify(data)
           );
-      
+
       html = html.replace('</body>', script + '</body>');
 
       return done(null, html);

From 5603e26bca75e3b2f44a1ec7d563d6b4262871c4 Mon Sep 17 00:00:00 2001
From: Kumar Rishav <rishav006@gmail.com>
Date: Tue, 3 Oct 2017 11:23:23 +0530
Subject: [PATCH 4/5] fix linting issue

---
 lib/server.js | 20 ++++++++------------
 1 file changed, 8 insertions(+), 12 deletions(-)

diff --git a/lib/server.js b/lib/server.js
index 2c210b4..d3fc34d 100644
--- a/lib/server.js
+++ b/lib/server.js
@@ -129,18 +129,14 @@ exports.create = function create(createOptions) {
 
       // state (script) injection
       //add nonce to the script tag for unsafe-inline;
-      var script = options.nonce
-        ? format(
-            TEMPLATE_WITH_NONCE,
-            Config.client.markupId,
-            options.nonce,
-            JSON.stringify(data)
-          )
-        : format(
-            TEMPLATE,
-            Config.client.markupId,
-            JSON.stringify(data)
-          );
+      var script;
+
+      if(options.nonce) {
+        script = format(TEMPLATE_WITH_NONCE, Config.client.markupId,
+                        options.nonce, JSON.stringify(data));
+      } else {
+        script = format(TEMPLATE, Config.client.markupId, JSON.stringify(data));
+      }
 
       html = html.replace('</body>', script + '</body>');
 

From 946d02a74a8abc3987cff64d3be9774fd3251066 Mon Sep 17 00:00:00 2001
From: Kumar Rishav <rishav006@gmail.com>
Date: Tue, 3 Oct 2017 11:29:35 +0530
Subject: [PATCH 5/5] Update server.js

---
 lib/server.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/server.js b/lib/server.js
index d3fc34d..cb08a45 100644
--- a/lib/server.js
+++ b/lib/server.js
@@ -131,7 +131,7 @@ exports.create = function create(createOptions) {
       //add nonce to the script tag for unsafe-inline;
       var script;
 
-      if(options.nonce) {
+      if (options.nonce) {
         script = format(TEMPLATE_WITH_NONCE, Config.client.markupId,
                         options.nonce, JSON.stringify(data));
       } else {