From 4c3139224e4b2eecddff08f1c4ea5afab5c1e517 Mon Sep 17 00:00:00 2001
From: Johannes Meyer <johannes.meyer@icinga.com>
Date: Fri, 2 Feb 2024 14:06:39 +0100
Subject: [PATCH 1/2] Csp: Include `script-src 'self';

fixes #5180
---
 library/Icinga/Util/Csp.php | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/library/Icinga/Util/Csp.php b/library/Icinga/Util/Csp.php
index bd275c608..c7fbf9a4c 100644
--- a/library/Icinga/Util/Csp.php
+++ b/library/Icinga/Util/Csp.php
@@ -51,7 +51,11 @@ class Csp
             throw new RuntimeException('No nonce set for CSS');
         }
 
-        $response->setHeader('Content-Security-Policy', "style-src 'self' 'nonce-$csp->styleNonce';", true);
+        $response->setHeader(
+            'Content-Security-Policy',
+            "script-src 'self'; style-src 'self' 'nonce-$csp->styleNonce';",
+            true
+        );
     }
 
     /**

From bb4784464611fbbd73e4777aa993ec1e95710631 Mon Sep 17 00:00:00 2001
From: Johannes Meyer <johannes.meyer@icinga.com>
Date: Fri, 2 Feb 2024 14:08:51 +0100
Subject: [PATCH 2/2] js: Don't adjust style by using element.cssText

That's prohibited if using `script-src 'self';` in the csp header
---
 public/js/icinga/behavior/collapsible.js | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/public/js/icinga/behavior/collapsible.js b/public/js/icinga/behavior/collapsible.js
index 16f719506..9ba3d5560 100644
--- a/public/js/icinga/behavior/collapsible.js
+++ b/public/js/icinga/behavior/collapsible.js
@@ -424,7 +424,9 @@
             if (this.isDetails(collapsible)) {
                 collapsible.open = false;
             } else {
-                collapsible.style.cssText = 'display: block; height: ' + toHeight + 'px; padding-bottom: 0';
+                collapsible.style.display = 'block';
+                collapsible.style.height = toHeight + 'px';
+                collapsible.style.paddingBottom = '0px';
 
                 if ('hasExternalToggle' in collapsible.dataset) {
                     document.getElementById(collapsible.dataset.toggleElement).classList.add('collapsed');
@@ -445,7 +447,9 @@
             if (this.isDetails(collapsible)) {
                 collapsible.open = true;
             } else {
-                collapsible.style.cssText = '';
+                collapsible.style.display = '';
+                collapsible.style.height = '';
+                collapsible.style.paddingBottom = '';
 
                 if ('hasExternalToggle' in collapsible.dataset) {
                     document.getElementById(collapsible.dataset.toggleElement).classList.remove('collapsed');