chore: remove nonce from the index.html

Unix4ever · Unix4ever · commit 807b218bd032 · 2025-11-20T23:11:00.000+03:00
It doesn't help UserPilot and only breaks ApexChart for some weird
reason.

Signed-off-by: Artem Chernyshev &lt;artem.chernyshev@talos-systems.com&gt;
diff --git a/frontend/index.html b/frontend/index.html
@@ -6,7 +6,6 @@
     <meta name="viewport" content="width=device-width, initial-scale=1.0" />
     <meta name="color-scheme" content="dark" />
     <meta name="theme-color" content="#13141c" />
-    <meta name="csp-nonce" content="{{.Nonce}}" />
     <title>Omni</title>
   </head>
   <body>
diff --git a/internal/frontend/handler.go b/internal/frontend/handler.go
@@ -7,10 +7,8 @@
 package frontend
 
 import (
-	"crypto/rand"
 	"errors"
 	"fmt"
-	"html/template"
 	"io"
 	"io/fs"
 	"net/http"
@@ -19,8 +17,6 @@ import (
 	"path/filepath"
 	"strings"
 	"time"
-
-	"github.com/jxskiss/base62"
 )
 
 const index = "/index.html"
@@ -111,27 +107,13 @@ func (handler *StaticHandler) serveFile(w http.ResponseWriter, r *http.Request,
 		if path != index {
 			w.Header().Set("Vary", "Accept-Encoding, User-Agent")
 			w.Header().Set("Cache-Control", fmt.Sprintf("public, max-age=%d, immutable", handler.maxAgeSec))
-			http.ServeContent(w, r, file.Name(), handler.modTime, file)
 		} else {
 			w.Header().Set("Referrer-Policy", "strict-origin-when-cross-origin")
 
-			b := make([]byte, 10)
-			if _, err := rand.Read(b); err != nil {
-				writeHTTPError(w, fmt.Errorf("failed to read random bytes: %w", err))
-
-				return
-			}
-
-			nonce := base62.EncodeToString(b)
-
-			w.Header().Set("Content-Security-Policy",
-				"upgrade-insecure-requests"+
-					fmt.Sprintf(";default-src 'self' 'nonce-%s'", nonce)+
-					";img-src * data:"+
-					";connect-src 'self' https://*.auth0.com https://*.userpilot.io wss://*.userpilot.io"+
-					";font-src 'self' data:"+
-					fmt.Sprintf(";style-src 'self' 'nonce-%s' data: https://fonts.googleapis.com https://fonts.gstatic.com", nonce)+
-					";frame-src https://*.auth0.com",
+			w.Header().Set("Content-Security-Policy", "default-src 'self' https://*.userpilot.io; img-src * data: ; "+
+				";connect-src 'self' https://*.auth0.com https://*.userpilot.io wss://*.userpilot.io ;font-src 'self' data: "+
+				";style-src 'self' 'unsafe-inline' https://fonts.googleapis.com data: ;upgrade-insecure-requests;"+
+				";frame-src https://*.auth0.com",
 			)
 
 			w.Header().Set("X-Frame-Options", "SAMEORIGIN")
@@ -142,31 +124,10 @@ func (handler *StaticHandler) serveFile(w http.ResponseWriter, r *http.Request,
 				"magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), publickey-credentials=(self),"+
 				"screen-wake-lock=(), sync-xhr=(self), usb=(), web-share=(), xr-spatial-tracking=()",
 			)
-
-			// Read index.html content
-			content, err := io.ReadAll(file)
-			if err != nil {
-				writeHTTPError(w, err)
-
-				return
-			}
-
-			tmpl, err := template.New("index.html").Parse(string(content))
-			if err != nil {
-				writeHTTPError(w, err)
-
-				return
-			}
-
-			// Inject nonce into index.html
-			err = tmpl.Execute(w, struct{ Nonce string }{Nonce: nonce})
-			if err != nil {
-				writeHTTPError(w, err)
-
-				return
-			}
 		}
 
+		http.ServeContent(w, r, file.Name(), handler.modTime, file)
+
 		return
 	}
 
