From 4475869203dd953517d35345c0590ae287581de8 Mon Sep 17 00:00:00 2001
From: tabraiz <tabraiz@cloudera.com>
Date: Tue, 27 Aug 2024 21:04:13 +0530
Subject: [PATCH 1/7] fixes unsafe fixes

---
 contributing-frontend.md                      |  2 +-
 desktop/core/src/desktop/auth/views.py        |  2 +
 desktop/core/src/desktop/decorators.py        | 13 ++++++
 desktop/core/src/desktop/middleware.py        | 15 +++++++
 desktop/core/src/desktop/settings.py          |  1 +
 .../src/desktop/templates/common_footer.mako  |  2 +-
 .../src/desktop/templates/common_header.mako  | 32 +++++++-------
 .../common_header_footer_components.mako      |  6 +--
 .../common_notebook_ko_components.mako        |  6 +--
 .../templates/config_ko_components.mako       | 18 ++++----
 desktop/core/src/desktop/templates/hue.mako   | 42 ++++++++++---------
 .../templates/hue_ace_autocompleter.mako      |  4 +-
 desktop/core/src/desktop/templates/login.mako |  4 +-
 .../src/desktop/templates/login_modal.mako    |  2 +-
 desktop/core/src/desktop/views.py             |  7 +++-
 15 files changed, 97 insertions(+), 59 deletions(-)

diff --git a/contributing-frontend.md b/contributing-frontend.md
index 5a6a203ea86..76fd8a2fde7 100644
--- a/contributing-frontend.md
+++ b/contributing-frontend.md
@@ -19,7 +19,7 @@ A react root element (or the first container element within it) must include the
 If your react component isn't dependent on any Knockout observables or Vue components you can integrate it by adding a small script and a component reference directly in the HTML code. The following example integrates MyComponent as a react root in an HTML/mako file.
 
 ```HTML
-<script type="text/javascript">
+<script type="text/javascript" nonce="${ request.csp_nonce }">
   (function () {
     window.createReactComponents('#some-container');
   })();
diff --git a/desktop/core/src/desktop/auth/views.py b/desktop/core/src/desktop/auth/views.py
index a5ca6220cb0..beebac3e288 100644
--- a/desktop/core/src/desktop/auth/views.py
+++ b/desktop/core/src/desktop/auth/views.py
@@ -29,6 +29,7 @@
 from datetime import datetime
 
 from axes.decorators import axes_dispatch
+from desktop.decorators import with_csp_header
 import django.contrib.auth.views
 from django.core.exceptions import SuspiciousOperation
 from django.contrib.auth import login, get_backends, authenticate
@@ -103,6 +104,7 @@ def dt_login_old(request, from_modal=False):
 
 @login_notrequired
 @axes_dispatch
+@with_csp_header
 def dt_login(request, from_modal=False):
   if request.method == 'GET':
     redirect_to = request.GET.get('next', '/')
diff --git a/desktop/core/src/desktop/decorators.py b/desktop/core/src/desktop/decorators.py
index 9fcdd093b92..67bd5abc760 100644
--- a/desktop/core/src/desktop/decorators.py
+++ b/desktop/core/src/desktop/decorators.py
@@ -17,6 +17,8 @@
 
 import logging
 import sys
+import base64
+import os
 
 from desktop.auth.backend import is_admin
 from desktop.lib.exceptions_renderable import PopupException
@@ -99,3 +101,14 @@ def decorator(*args, **kwargs):
         return JsonResponse(response)
 
   return decorator
+
+
+def with_csp_header(view_func):
+    @wraps(view_func)
+    def _wrapped_view(request, *args, **kwargs):
+        response = view_func(request, *args, **kwargs)
+        nonce = base64.b64encode(os.urandom(16)).decode('utf-8')
+        csp_policy = f"script-src 'nonce-{nonce}' 'strict-dynamic' 'unsafe-eval';"
+        response['Content-Security-Policy'] = csp_policy
+        return response
+    return _wrapped_view
diff --git a/desktop/core/src/desktop/middleware.py b/desktop/core/src/desktop/middleware.py
index 426677ea971..e5417975d86 100644
--- a/desktop/core/src/desktop/middleware.py
+++ b/desktop/core/src/desktop/middleware.py
@@ -18,6 +18,7 @@
 from __future__ import absolute_import
 
 from builtins import object
+import base64
 import inspect
 import json
 import logging
@@ -972,6 +973,20 @@ def __call__(self, request):
     return self.get_response(request)
 
 
+class CSPMiddleware:
+    def __init__(self, get_response):
+        self.get_response = get_response
+
+    def __call__(self, request):
+        nonce = base64.b64encode(os.urandom(16)).decode('utf-8')
+        request.csp_nonce = nonce  # Make nonce available in the request
+        response = self.get_response(request)
+        csp_policy = "script-src 'nonce-{}' 'strict-dynamic' 'unsafe-eval';".format(nonce)
+
+        response['Content-Security-Policy'] = csp_policy
+        return response
+
+
 class CacheControlMiddleware(MiddlewareMixin):
   def __init__(self, get_response):
     self.get_response = get_response
diff --git a/desktop/core/src/desktop/settings.py b/desktop/core/src/desktop/settings.py
index ca0f93188a4..4b296f4c0bc 100644
--- a/desktop/core/src/desktop/settings.py
+++ b/desktop/core/src/desktop/settings.py
@@ -167,6 +167,7 @@
     # 'axes.middleware.FailedLoginMiddleware',
     'desktop.middleware.MimeTypeJSFileFixStreamingMiddleware',
     'crequest.middleware.CrequestMiddleware',
+    'desktop.middleware.CSPMiddleware',
 ]
 
 # if os.environ.get(ENV_DESKTOP_DEBUG):
diff --git a/desktop/core/src/desktop/templates/common_footer.mako b/desktop/core/src/desktop/templates/common_footer.mako
index d80aa2c546b..444773b49e5 100644
--- a/desktop/core/src/desktop/templates/common_footer.mako
+++ b/desktop/core/src/desktop/templates/common_footer.mako
@@ -34,7 +34,7 @@ ${ smart_unicode(login_modal(request).content) | n,unicode }
 
 <iframe id="zoomDetectFrame" style="width: 250px; display: none" ></iframe>
 
-${ commonHeaderFooterComponents.footer(messages) }
+${ commonHeaderFooterComponents.footer(messages, csp_nonce) }
 
   </body>
 </html>
diff --git a/desktop/core/src/desktop/templates/common_header.mako b/desktop/core/src/desktop/templates/common_header.mako
index 78dce8825c0..b5f5428bfb4 100644
--- a/desktop/core/src/desktop/templates/common_header.mako
+++ b/desktop/core/src/desktop/templates/common_header.mako
@@ -142,24 +142,26 @@ if USE_NEW_EDITOR.get():
   <%
     global_constants_url = '/desktop/globalJsConstants.js?v=' + hue_version()
   %>
-  <script src="${global_constants_url}"></script>
+  <script nonce="${ request.csp_nonce }" src="${global_constants_url}"></script>
   % endif
 
   % if not conf.DEV.get():
-  <script src="${ static('desktop/js/hue.errorcatcher.js') }"></script>
+  <script nonce="${ request.csp_nonce }" src="${ static('desktop/js/hue.errorcatcher.js') }"></script>
   % endif
 
   % for bundle in get_hue_bundles('login' if section == 'login' else 'hue', 'LOGIN' if section == 'login' else 'DEFAULT'):
-    ${ render_bundle(bundle, config='LOGIN' if section == 'login' else 'DEFAULT') | n,unicode }
+      ## Instead of trying to assign to a variable, directly operate within expressions.
+      ${render_bundle(bundle, config='LOGIN' if section == 'login' else 'DEFAULT').replace('<script ', '<script nonce="' + request.csp_nonce + '" ') | n}
   % endfor
 
-  <script src="${ static('desktop/js/bootstrap-tooltip.js') }"></script>
-  <script src="${ static('desktop/js/bootstrap-typeahead-touchscreen.js') }"></script>
-  <script src="${ static('desktop/ext/js/bootstrap-better-typeahead.min.js') }"></script>
-  <script src="${ static('desktop/js/popover-extra-placements.js') }"></script>
-  <script src="${ static('desktop/ext/js/moment-with-locales.min.js') }"></script>
-  <script src="${ static('desktop/ext/js/moment-timezone-with-data.min.js') }" type="text/javascript" charset="utf-8"></script>
-  <script src="${ static('desktop/ext/js/tzdetect.js') }" type="text/javascript" charset="utf-8"></script>
+
+  <script nonce="${ request.csp_nonce }" src="${ static('desktop/js/bootstrap-tooltip.js') }"></script>
+  <script nonce="${ request.csp_nonce }" src="${ static('desktop/js/bootstrap-typeahead-touchscreen.js') }"></script>
+  <script nonce="${ request.csp_nonce }" src="${ static('desktop/ext/js/bootstrap-better-typeahead.min.js') }"></script>
+  <script nonce="${ request.csp_nonce }" src="${ static('desktop/js/popover-extra-placements.js') }"></script>
+  <script nonce="${ request.csp_nonce }" src="${ static('desktop/ext/js/moment-with-locales.min.js') }"></script>
+  <script nonce="${ request.csp_nonce }" src="${ static('desktop/ext/js/moment-timezone-with-data.min.js') }" type="text/javascript" charset="utf-8"></script>
+  <script nonce="${ request.csp_nonce }" src="${ static('desktop/ext/js/tzdetect.js') }" type="text/javascript" charset="utf-8"></script>
 
 % if user.is_authenticated:
   ${ hueAceAutocompleter.hueAceAutocompleter() }
@@ -168,9 +170,9 @@ if USE_NEW_EDITOR.get():
   ${ commonHeaderFooterComponents.header_pollers(user, is_s3_enabled, apps) }
 
 % if user.is_authenticated:
-  <script src="${ static('desktop/ext/js/localforage.min.js') }"></script>
+  <script  nonce="${ request.csp_nonce }" src="${ static('desktop/ext/js/localforage.min.js') }"></script>
 
-  <script type="text/javascript">
+  <script  nonce="${ request.csp_nonce }" type="text/javascript">
     $(document).ready(function () {
       localforage.config({
         version: 1.0,
@@ -200,7 +202,7 @@ ${ hueIcons.symbols() }
 
 
 % if hasattr(request, 'environ') and request.environ.get("PATH_INFO").find("/hue/") < 0:
-  <script>
+  <script  nonce="${ request.csp_nonce }">
     window.location.replace(window.HUE_BASE_URL || "/");
   </script>
 % endif
@@ -556,8 +558,8 @@ ${ hueIcons.symbols() }
   </ul>
 
   <!-- UserVoice JavaScript SDK -->
-  <script>(function(){var uv=document.createElement('script');uv.type='text/javascript';uv.async=true;uv.src='//widget.uservoice.com/8YpsDfIl1Y2sNdONoLXhrg.js';var s=document.getElementsByTagName('script')[0];s.parentNode.insertBefore(uv,s)})()</script>
-  <script>
+  <script nonce="${ request.csp_nonce }" >(function(){var uv=document.createElement('script');uv.type='text/javascript';uv.async=true;uv.src='//widget.uservoice.com/8YpsDfIl1Y2sNdONoLXhrg.js';var s=document.getElementsByTagName('script')[0];s.parentNode.insertBefore(uv,s)})()</script>
+  <script nonce="${ request.csp_nonce }">
   UserVoice = window.UserVoice || [];
   function showClassicWidget() {
     UserVoice.push(['showLightbox', 'classic_widget', {
diff --git a/desktop/core/src/desktop/templates/common_header_footer_components.mako b/desktop/core/src/desktop/templates/common_header_footer_components.mako
index 5be3e6c6f80..23c7a91bc80 100644
--- a/desktop/core/src/desktop/templates/common_header_footer_components.mako
+++ b/desktop/core/src/desktop/templates/common_header_footer_components.mako
@@ -33,7 +33,7 @@ else:
 %>
 
 <%def name="header_pollers(user, is_s3_enabled, apps)">
-  <script type="text/javascript">
+  <script nonce="${request.csp_nonce}" type="text/javascript">
     Dropzone.autoDiscover = false;
     moment.locale(window.navigator.userLanguage || window.navigator.language);
     localeFormat = function (time) {
@@ -230,7 +230,7 @@ else:
 
 </%def>
 
-<%def name="footer(messages)">
+<%def name="footer(messages, csp_nonce)">
 
 <div id="progressStatus" class="uploadstatus well hide">
   <h4>${ _('Upload progress') }</h4>
@@ -267,7 +267,7 @@ else:
 
 <div class="clipboard-content"></div>
 
-<script type="text/javascript">
+<script nonce="${request.csp_nonce if request else csp_nonce}" type="text/javascript">
 
   $(document).ready(function () {
 
diff --git a/desktop/core/src/desktop/templates/common_notebook_ko_components.mako b/desktop/core/src/desktop/templates/common_notebook_ko_components.mako
index 26df0258c97..53930a37747 100644
--- a/desktop/core/src/desktop/templates/common_notebook_ko_components.mako
+++ b/desktop/core/src/desktop/templates/common_notebook_ko_components.mako
@@ -74,7 +74,7 @@ else:
     </div>
   </script>
 
-  <script type="text/javascript">
+  <script type="text/javascript" nonce="${request.csp_nonce}">
     (function () {
       var WHEEL_RADIUS = 75;
       var PLUS_ICON_RADIUS = 27.859; // FA-5X
@@ -353,7 +353,7 @@ else:
     </div>
   </script>
 
-  <script type="text/javascript">
+  <script type="text/javascript" nonce="${request.csp_nonce}">
     (function () {
 
       function DownloadResultsViewModel (params, element) {
@@ -778,7 +778,7 @@ else:
     </div>
   </script>
 
-  <script type="text/javascript">
+  <script type="text/javascript" nonce="${request.csp_nonce}">
     (function () {
 
       function AceKeyboardShortcutsViewModel () {
diff --git a/desktop/core/src/desktop/templates/config_ko_components.mako b/desktop/core/src/desktop/templates/config_ko_components.mako
index 3180a35580e..5546e91e285 100644
--- a/desktop/core/src/desktop/templates/config_ko_components.mako
+++ b/desktop/core/src/desktop/templates/config_ko_components.mako
@@ -124,7 +124,7 @@ else:
     </div>
   </script>
 
-  <script type="text/javascript">
+  <script nonce="${request.csp_nonce}" type="text/javascript">
     (function () {
       function MultiGroupAlternative(alt, params, initiallyChecked) {
         var self = this;
@@ -215,7 +215,7 @@ else:
     })();
   </script>
 
-  <script type="text/javascript">
+  <script nonce="${request.csp_nonce}" type="text/javascript">
     (function () {
 
       function PropertySelectorViewModel(params) {
@@ -297,7 +297,7 @@ else:
     })();
   </script>
 
-  <script type="text/html" id="property">
+  <script nonce="${request.csp_nonce}" type="text/html" id="property">
     <div class="config-property" data-bind="visibleOnHover: { selector: '.hover-actions' }">
       <label class="config-label" data-bind="click: function(data, event){ $(event.target).siblings('.config-controls').find('.config-property-add-value a').click(); }">
         <!-- ko text: label --><!-- /ko --><!-- ko if: typeof helpText !== 'undefined' --><div class="property-help" data-bind="tooltip: { title: helpText(), placement: 'bottom' }"><i class="fa fa-question-circle-o"></i></div><!-- /ko -->
@@ -365,7 +365,7 @@ else:
     <input type="text" class="input-small" data-bind="numericTextInput: { value: value, precision: 0, allowEmpty: true }" /> <select class="input-mini" data-bind="options: units, value: selectedUnit"></select>
   </script>
 
-  <script type="text/javascript">
+  <script nonce="${request.csp_nonce}"  type="text/javascript">
     (function () {
       var JVM_MEM_PATTERN = /([0-9]+)([MG])$/;
       var UNITS = {'MB': 'M', 'GB': 'G'};
@@ -427,7 +427,7 @@ else:
     <div class="clearfix"></div>
   </script>
 
-  <script type="text/javascript">
+  <script nonce="${request.csp_nonce}" type="text/javascript">
     (function () {
 
       function KeyValueListInputViewModel(params) {
@@ -530,7 +530,7 @@ else:
     </div>
   </script>
 
-  <script type="text/javascript">
+  <script nonce="${request.csp_nonce}" type="text/javascript">
     (function () {
 
       function NameValueListInputViewModel(params) {
@@ -595,7 +595,7 @@ else:
     </div>
   </script>
 
-  <script type="text/javascript">
+  <script nonce="${request.csp_nonce}" type="text/javascript">
     (function () {
 
       function FunctionListInputViewModel(params) {
@@ -649,7 +649,7 @@ else:
     </div>
   </script>
 
-  <script type="text/javascript">
+  <script nonce="${request.csp_nonce}"  type="text/javascript">
     (function () {
 
       var identifyType = function (path) {
@@ -729,7 +729,7 @@ else:
     </div>
   </script>
 
-  <script type="text/javascript">
+  <script nonce="${request.csp_nonce}" type="text/javascript">
     (function () {
       function CsvListInputViewModel(params) {
         this.valueObservable = params.value;
diff --git a/desktop/core/src/desktop/templates/hue.mako b/desktop/core/src/desktop/templates/hue.mako
index 50dee07a29c..74ede4f69e0 100644
--- a/desktop/core/src/desktop/templates/hue.mako
+++ b/desktop/core/src/desktop/templates/hue.mako
@@ -43,8 +43,8 @@
 
   % if conf.COLLECT_USAGE.get():
     <!-- Google tag (gtag.js) -->
-    <script async src="https://www.googletagmanager.com/gtag/js?id=${conf.GTAG_ID.get()}"></script>
-    <script>
+    <script nonce="${request.csp_nonce}" async src="https://www.googletagmanager.com/gtag/js?id=${conf.GTAG_ID.get()}"></script>
+    <script nonce="${request.csp_nonce}" >
       window.dataLayer = window.dataLayer || [];
       function gtag(){dataLayer.push(arguments);}
       gtag('js', new Date());
@@ -93,10 +93,10 @@
   <%
     global_constants_url = '/desktop/globalJsConstants.js?v=' + hue_version()
   %>
-  <script src="${global_constants_url}"></script>
+  <script nonce="${request.csp_nonce}"  src="${global_constants_url}"></script>
 
   % if not conf.DEV.get():
-  <script src="${ static('desktop/js/hue.errorcatcher.js') }"></script>
+  <script nonce="${request.csp_nonce}"  src="${ static('desktop/js/hue.errorcatcher.js') }"></script>
   % endif
 </head>
 
@@ -110,8 +110,8 @@
   </ul>
 
   <!-- UserVoice JavaScript SDK -->
-  <script>(function(){var uv=document.createElement('script');uv.type='text/javascript';uv.async=true;uv.src='//widget.uservoice.com/8YpsDfIl1Y2sNdONoLXhrg.js';var s=document.getElementsByTagName('script')[0];s.parentNode.insertBefore(uv,s)})()</script>
-  <script>
+  <script nonce="${request.csp_nonce}" >(function(){var uv=document.createElement('script');uv.type='text/javascript';uv.async=true;uv.src='//widget.uservoice.com/8YpsDfIl1Y2sNdONoLXhrg.js';var s=document.getElementsByTagName('script')[0];s.parentNode.insertBefore(uv,s)})()</script>
+  <script nonce="${request.csp_nonce}" >
   UserVoice = window.UserVoice || [];
   function showClassicWidget() {
     UserVoice.push(['showLightbox', 'classic_widget', {
@@ -295,24 +295,26 @@ ${ hueIcons.symbols() }
 </div>
 ${ commonshare() | n,unicode }
 
-% for bundle in get_hue_bundles('hue'):
-  ${ render_bundle(bundle) | n,unicode }
+% for bundle in get_hue_bundles('login' if section == 'login' else 'hue', 'LOGIN' if section == 'login' else 'DEFAULT'):
+  <% text = render_bundle(bundle, config='LOGIN' if section == 'login' else 'DEFAULT').replace('<script ', '<script nonce="' + request.csp_nonce + '" ') %>
+  ${ text | n}
 % endfor
 
-<script src="${ static('desktop/js/polyfills.js') }"></script>
-<script src="${ static('desktop/ext/js/tether.js') }"></script>
-<script src="${ static('desktop/ext/js/moment-with-locales.min.js') }"></script>
-<script src="${ static('desktop/ext/js/moment-timezone-with-data.min.js') }"></script>
-<script src="${ static('desktop/ext/js/tzdetect.js') }"></script>
 
-<script src="${ static('desktop/ext/js/bootstrap-fileupload.js') }"></script>
-<script src="${ static('desktop/js/bootstrap-tooltip.js') }"></script>
-<script src="${ static('desktop/js/bootstrap-typeahead-touchscreen.js') }"></script>
-<script src="${ static('desktop/ext/js/bootstrap-better-typeahead.min.js') }"></script>
+<script nonce="${request.csp_nonce}" src="${ static('desktop/js/polyfills.js') }"></script>
+<script nonce="${request.csp_nonce}" src="${ static('desktop/ext/js/tether.js') }"></script>
+<script nonce="${request.csp_nonce}" src="${ static('desktop/ext/js/moment-with-locales.min.js') }"></script>
+<script nonce="${request.csp_nonce}" src="${ static('desktop/ext/js/moment-timezone-with-data.min.js') }"></script>
+<script nonce="${request.csp_nonce}" src="${ static('desktop/ext/js/tzdetect.js') }"></script>
 
-<script src="${ static('desktop/js/share2.vm.js') }"></script>
+<script nonce="${request.csp_nonce}" src="${ static('desktop/ext/js/bootstrap-fileupload.js') }"></script>
+<script nonce="${request.csp_nonce}" src="${ static('desktop/js/bootstrap-tooltip.js') }"></script>
+<script nonce="${request.csp_nonce}" src="${ static('desktop/js/bootstrap-typeahead-touchscreen.js') }"></script>
+<script nonce="${request.csp_nonce}" src="${ static('desktop/ext/js/bootstrap-better-typeahead.min.js') }"></script>
 
-<script>
+<script nonce="${request.csp_nonce}" src="${ static('desktop/js/share2.vm.js') }"></script>
+
+<script nonce="${request.csp_nonce}" >
   var shareViewModel = initSharing("#documentShareModal");
 </script>
 
@@ -334,7 +336,7 @@ ${ smart_unicode(login_modal(request).content) | n,unicode }
 
 <iframe id="zoomDetectFrame" style="width: 250px; display: none" ></iframe>
 
-${ commonHeaderFooterComponents.footer(messages) }
+${ commonHeaderFooterComponents.footer(messages, csp_nonce) }
 
 ## This includes common knockout templates that are shared with the Job Browser page and the mini job browser panel
 ## available in the upper right corner throughout Hue
diff --git a/desktop/core/src/desktop/templates/hue_ace_autocompleter.mako b/desktop/core/src/desktop/templates/hue_ace_autocompleter.mako
index e958e2586b8..5627f5a358d 100644
--- a/desktop/core/src/desktop/templates/hue_ace_autocompleter.mako
+++ b/desktop/core/src/desktop/templates/hue_ace_autocompleter.mako
@@ -356,7 +356,7 @@ else:
   </script>
 
 
-  <script type="text/javascript">
+  <script type="text/javascript" nonce="${request.csp_nonce}">
     (function () {
 
       var aceUtil = ace.require('ace/autocomplete/util');
@@ -722,7 +722,7 @@ else:
     <!-- /ko -->
   </script>
 
-  <script type="text/javascript">
+  <script type="text/javascript" nonce="${request.csp_nonce}">
     (function () {
 
       var COMMENT_LOAD_DELAY = 1500;
diff --git a/desktop/core/src/desktop/templates/login.mako b/desktop/core/src/desktop/templates/login.mako
index d771099d2f8..215b2d62c33 100644
--- a/desktop/core/src/desktop/templates/login.mako
+++ b/desktop/core/src/desktop/templates/login.mako
@@ -161,7 +161,7 @@ ${ commonheader(_("Welcome to Hue"), "login", user, request, "50px", True, True)
    % endif
 </div>
 
-<script>
+<script nonce="${ request.csp_nonce }">
   $(document).ready(function () {
     $("form").on("submit", function () {
       window.setTimeout(function () {
@@ -195,4 +195,4 @@ ${ commonheader(_("Welcome to Hue"), "login", user, request, "50px", True, True)
   });
 </script>
 
-${ commonfooter(None, messages) | n,unicode }
+${ commonfooter(None, messages, False, request.csp_nonce) | n,unicode }
diff --git a/desktop/core/src/desktop/templates/login_modal.mako b/desktop/core/src/desktop/templates/login_modal.mako
index 73778d86896..4e4f9a5f389 100644
--- a/desktop/core/src/desktop/templates/login_modal.mako
+++ b/desktop/core/src/desktop/templates/login_modal.mako
@@ -49,7 +49,7 @@
   </div>
 </div>
 
-<script>
+<script nonce="${request.csp_nonce}">
   $(document).ready(function () {
     $('.reload').on('click', function () {
       location.reload();
diff --git a/desktop/core/src/desktop/views.py b/desktop/core/src/desktop/views.py
index 72c4cef8401..f1c99704626 100644
--- a/desktop/core/src/desktop/views.py
+++ b/desktop/core/src/desktop/views.py
@@ -31,6 +31,7 @@
 import zipfile
 import validate
 
+from desktop.decorators import with_csp_header
 from django.http import HttpResponseRedirect
 from django.conf import settings
 from django.contrib.staticfiles.storage import staticfiles_storage
@@ -128,6 +129,7 @@ def saml_login_headers(request):
   except:
     LOG.error("X-CSRF-TOKEN header not found")
 
+@with_csp_header
 def hue(request):
   current_app, other_apps, apps_list = _get_apps(request.user, '')
   clusters = list(get_clusters(request.user).values())
@@ -654,7 +656,8 @@ def is_idle(request):
 def commonfooter_m(request, messages=None):
   return commonfooter(request, messages, True)
 
-def commonfooter(request, messages=None, is_mobile=False):
+
+def commonfooter(request, messages=None, is_mobile=False, csp_nonce=None):
   """
   Returns the rendered common footer
   """
@@ -666,9 +669,9 @@ def commonfooter(request, messages=None, is_mobile=False):
   template = 'common_footer.mako'
   if is_mobile:
     template = 'common_footer_m.mako'
-
   return django_mako.render_to_string(template, {
     'request': request,
+    'csp_nonce': csp_nonce,
     'messages': messages,
     'version': hue_version(),
     'collect_usage': collect_usage(),

From d455081599702a02b21ac1d15718b71955c86aeb Mon Sep 17 00:00:00 2001
From: tabraiz <tabraiz@cloudera.com>
Date: Tue, 27 Aug 2024 21:10:09 +0530
Subject: [PATCH 2/7] Remove decorator

---
 desktop/core/src/desktop/auth/views.py |  2 --
 desktop/core/src/desktop/decorators.py | 10 ----------
 desktop/core/src/desktop/views.py      |  2 --
 3 files changed, 14 deletions(-)

diff --git a/desktop/core/src/desktop/auth/views.py b/desktop/core/src/desktop/auth/views.py
index beebac3e288..a5ca6220cb0 100644
--- a/desktop/core/src/desktop/auth/views.py
+++ b/desktop/core/src/desktop/auth/views.py
@@ -29,7 +29,6 @@
 from datetime import datetime
 
 from axes.decorators import axes_dispatch
-from desktop.decorators import with_csp_header
 import django.contrib.auth.views
 from django.core.exceptions import SuspiciousOperation
 from django.contrib.auth import login, get_backends, authenticate
@@ -104,7 +103,6 @@ def dt_login_old(request, from_modal=False):
 
 @login_notrequired
 @axes_dispatch
-@with_csp_header
 def dt_login(request, from_modal=False):
   if request.method == 'GET':
     redirect_to = request.GET.get('next', '/')
diff --git a/desktop/core/src/desktop/decorators.py b/desktop/core/src/desktop/decorators.py
index 67bd5abc760..a74c30881d1 100644
--- a/desktop/core/src/desktop/decorators.py
+++ b/desktop/core/src/desktop/decorators.py
@@ -102,13 +102,3 @@ def decorator(*args, **kwargs):
 
   return decorator
 
-
-def with_csp_header(view_func):
-    @wraps(view_func)
-    def _wrapped_view(request, *args, **kwargs):
-        response = view_func(request, *args, **kwargs)
-        nonce = base64.b64encode(os.urandom(16)).decode('utf-8')
-        csp_policy = f"script-src 'nonce-{nonce}' 'strict-dynamic' 'unsafe-eval';"
-        response['Content-Security-Policy'] = csp_policy
-        return response
-    return _wrapped_view
diff --git a/desktop/core/src/desktop/views.py b/desktop/core/src/desktop/views.py
index f1c99704626..35bff60f94d 100644
--- a/desktop/core/src/desktop/views.py
+++ b/desktop/core/src/desktop/views.py
@@ -31,7 +31,6 @@
 import zipfile
 import validate
 
-from desktop.decorators import with_csp_header
 from django.http import HttpResponseRedirect
 from django.conf import settings
 from django.contrib.staticfiles.storage import staticfiles_storage
@@ -129,7 +128,6 @@ def saml_login_headers(request):
   except:
     LOG.error("X-CSRF-TOKEN header not found")
 
-@with_csp_header
 def hue(request):
   current_app, other_apps, apps_list = _get_apps(request.user, '')
   clusters = list(get_clusters(request.user).values())

From b7fa1886763846122c43b34febd36aa4e2d35b60 Mon Sep 17 00:00:00 2001
From: tabraiz <tabraiz@cloudera.com>
Date: Wed, 28 Aug 2024 16:33:38 +0530
Subject: [PATCH 3/7] remove changes in decorator

---
 desktop/core/src/desktop/decorators.py | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/desktop/core/src/desktop/decorators.py b/desktop/core/src/desktop/decorators.py
index a74c30881d1..9fcdd093b92 100644
--- a/desktop/core/src/desktop/decorators.py
+++ b/desktop/core/src/desktop/decorators.py
@@ -17,8 +17,6 @@
 
 import logging
 import sys
-import base64
-import os
 
 from desktop.auth.backend import is_admin
 from desktop.lib.exceptions_renderable import PopupException
@@ -101,4 +99,3 @@ def decorator(*args, **kwargs):
         return JsonResponse(response)
 
   return decorator
-

From 40ae31c1b9550614fadcbbbe5ad224dffcda86bb Mon Sep 17 00:00:00 2001
From: tabraiz <tabraiz@cloudera.com>
Date: Mon, 16 Sep 2024 10:03:18 +0530
Subject: [PATCH 4/7] fixes to unsafe inlines

---
 desktop/core/src/desktop/conf.py              |   7 +
 .../core/src/desktop/js/onePageViewModel.js   |  12 +-
 desktop/core/src/desktop/lib/django_util.py   |  10 ++
 desktop/core/src/desktop/middleware.py        | 148 ++++++++++++++----
 desktop/core/src/desktop/settings.py          |   3 +-
 .../src/desktop/templates/common_footer.mako  |   4 +-
 .../src/desktop/templates/common_header.mako  |  36 ++---
 .../common_header_footer_components.mako      |   7 +-
 .../common_notebook_ko_components.mako        |   7 +-
 .../templates/config_ko_components.mako       |  19 +--
 desktop/core/src/desktop/templates/hue.mako   |  41 ++---
 .../templates/hue_ace_autocompleter.mako      |   5 +-
 desktop/core/src/desktop/templates/login.mako |   6 +-
 .../src/desktop/templates/login_modal.mako    |   4 +-
 desktop/core/src/desktop/views.py             |   4 +-
 .../src/notebook/templates/editor2.mako       |   3 +-
 .../notebook/templates/editor_components.mako |   4 +-
 17 files changed, 222 insertions(+), 98 deletions(-)

diff --git a/desktop/core/src/desktop/conf.py b/desktop/core/src/desktop/conf.py
index f788adfbdeb..5d23e7e4338 100644
--- a/desktop/core/src/desktop/conf.py
+++ b/desktop/core/src/desktop/conf.py
@@ -395,6 +395,13 @@ def has_ssl_no_renegotiation():
           "child-src 'self' data: *.vimeo.com;" +
           "object-src 'none'")
 
+
+CSP_NONCE = Config(
+  key="csp_nonce",
+  help=_('CSP NONCE can be true or false'),
+  type=coerce_bool,
+  default=False)
+
 SECURE_SSL_REDIRECT = Config(
   key="secure_ssl_redirect",
   help=_('If all non-SSL requests should be permanently redirected to SSL.'),
diff --git a/desktop/core/src/desktop/js/onePageViewModel.js b/desktop/core/src/desktop/js/onePageViewModel.js
index 6cc5db2a3fa..a28f905d5de 100644
--- a/desktop/core/src/desktop/js/onePageViewModel.js
+++ b/desktop/core/src/desktop/js/onePageViewModel.js
@@ -256,7 +256,12 @@ class OnePageViewModel {
           const nextScriptPromise = scriptPromises.shift();
           nextScriptPromise.done(scriptDetails => {
             if (scriptDetails.contents) {
-              $.globalEval(scriptDetails.contents);
+              // $.globalEval(scriptDetails.contents);
+              const nonce = window.nonce || '';  // Fallback to an empty string if nonce is not defined
+              const script = document.createElement('script');
+              script.setAttribute('nonce', nonce);  // Set the nonce attribute more explicitly
+              script.text = scriptDetails.contents;
+              document.head.appendChild(script).parentNode.removeChild(script);
             }
             evalScriptSync();
           });
@@ -386,6 +391,11 @@ class OnePageViewModel {
               self.extraEmbeddableURLParams('');
 
               self.processHeaders(response).done($rawHtml => {
+                const nonce = window.nonce || ''; 
+                const scripts = $rawHtml.find('script');
+                scripts.each(function() {
+                  this.setAttribute('nonce', nonce);
+                });
                 if (window.SKIP_CACHE.indexOf(app) === -1) {
                   self.embeddable_cache[app] = $rawHtml;
                 }
diff --git a/desktop/core/src/desktop/lib/django_util.py b/desktop/core/src/desktop/lib/django_util.py
index 21bd933f118..369ec619e6f 100644
--- a/desktop/core/src/desktop/lib/django_util.py
+++ b/desktop/core/src/desktop/lib/django_util.py
@@ -502,3 +502,13 @@ def __init__(self, data, encoder=DjangoJSONEncoder, safe=True,
     kwargs.setdefault('content_type', 'application/json')
     data = json.dumps(data, cls=encoder, **json_dumps_params)
     super(JsonResponse, self).__init__(content=data, **kwargs)
+
+
+def nonce_attribute(context):
+    # Assuming 'csp_nonce' is set in the context and CSP_NONCE controls its usage
+
+    if desktop.conf.CSP_NONCE.get():
+        csp_nonce = context.csp_nonce
+        if csp_nonce:
+            return f' nonce={csp_nonce}'
+    return ''
\ No newline at end of file
diff --git a/desktop/core/src/desktop/middleware.py b/desktop/core/src/desktop/middleware.py
index e5417975d86..40cc3d55a92 100644
--- a/desktop/core/src/desktop/middleware.py
+++ b/desktop/core/src/desktop/middleware.py
@@ -55,7 +55,7 @@
 from desktop.auth.backend import is_admin, find_or_create_user, ensure_has_a_group, rewrite_user
 from desktop.conf import AUTH, HTTP_ALLOWED_METHODS, ENABLE_PROMETHEUS, KNOX, DJANGO_DEBUG_MODE, AUDIT_EVENT_LOG_DIR, \
     METRICS, SERVER_USER, REDIRECT_WHITELIST, SECURE_CONTENT_SECURITY_POLICY, has_connectors, is_gunicorn_report_enabled, \
-    CUSTOM_CACHE_CONTROL, HUE_LOAD_BALANCER
+    CUSTOM_CACHE_CONTROL, HUE_LOAD_BALANCER, CSP_NONCE
 from desktop.context_processors import get_app_name
 from desktop.lib import apputil, i18n, fsmanager
 from desktop.lib.django_util import JsonResponse, render, render_json
@@ -70,6 +70,83 @@
 from libsaml.conf import CDP_LOGOUT_URL
 from urllib.parse import urlparse
 
+import base64
+import os
+
+# Number of random bytes in the nonce:
+NONCE_BYTES = 24
+
+def generate_nonce():
+    """ Return a unique base64 encoded nonce hash."""
+    nonce = os.urandom(NONCE_BYTES)
+    return base64.b64encode(nonce).decode()
+
+
+def nonce_exists(response):
+    """Check for preexisting nonce in style and script.
+
+     Args:
+         response (:obj:): Django response object
+
+     Returns:
+         nonce_found (dict): Dictionary of nonces found
+         has_nonce (bool): True if any nonce has been found
+     """
+    try:
+        csp = response['Content-Security-Policy']
+    except KeyError:
+        csp = response['Content-Security-Policy-Report-Only']
+
+    nonce_found = {}
+
+    if csp:
+        csp_split = csp.split(';')
+        for directive in csp_split:
+            if 'nonce-' not in directive:
+                continue
+            if 'script-src' in directive:
+                nonce_found['script'] = directive
+            if 'style-src' in directive:
+                nonce_found['style'] = directive
+
+    has_nonce = any(nonce_found)
+
+    return nonce_found, has_nonce
+
+
+def get_header(response):
+    """Get the CSP header type.
+
+    This is basically a check for:
+        Content-Security-Policy or Content-Security-Policy-Report-Only
+
+    Args:
+        response (:obj:): Django response object
+
+    Returns:
+         dict:
+            name: CPS header policy. i.e. Report-Only or not
+            csp: CSP directives associated with the header
+            bool: False if neither policy header is found
+    """
+    policies = [
+        "Content-Security-Policy",
+        "Content-Security-Policy-Report-Only"
+    ]
+
+    try:
+        name = policies[0]
+        csp = response[policies[0]]
+    except KeyError:
+        try:
+            name = policies[1]
+            csp = response[policies[1]]
+        except KeyError:
+            return False
+
+    return {'name': name, 'csp': csp}
+
+
 if sys.version_info[0] > 2:
   from django.utils.translation import gettext as _
   from django.utils.http import url_has_allowed_host_and_scheme
@@ -901,19 +978,48 @@ def process_response(self, request, response):
 
 
 class ContentSecurityPolicyMiddleware(MiddlewareMixin):
-  def __init__(self, get_response):
-    self.get_response = get_response
-    self.secure_content_security_policy = SECURE_CONTENT_SECURITY_POLICY.get()
-    if not self.secure_content_security_policy:
-      LOG.info('Unloading ContentSecurityPolicyMiddleware')
-      raise exceptions.MiddlewareNotUsed
-
-  def process_response(self, request, response):
-    if self.secure_content_security_policy and not 'Content-Security-Policy' in response:
-      response["Content-Security-Policy"] = self.secure_content_security_policy
-
-    return response
-
+    def __init__(self, get_response):
+        self.get_response = get_response
+        self.secure_content_security_policy = SECURE_CONTENT_SECURITY_POLICY.get()
+        if not self.secure_content_security_policy:
+            logger.info('Unloading ContentSecurityPolicyMiddleware')
+            raise exceptions.MiddlewareNotUsed
+
+    def process_request(self, request):
+        nonce = generate_nonce()
+        request.csp_nonce = nonce
+
+    def process_response(self, request, response):
+        # Add the secure CSP if it doesn't exist
+        if not CSP_NONCE.get():
+          return response
+
+        if self.secure_content_security_policy and 'Content-Security-Policy' not in response:
+            response["Content-Security-Policy"] = self.secure_content_security_policy
+
+        header = get_header(response)
+        if not header or not hasattr(request, 'csp_nonce'):
+            return response
+
+        nonce_found, has_nonce = nonce_exists(response)
+        if has_nonce:
+            logger.error("Nonce already exists: {}".format(nonce_found))
+            return response
+
+        nonce = getattr(request, 'csp_nonce', None)
+        csp_split = header['csp'].split(';')
+        new_csp = []
+        
+        nonce_directive = f"'nonce-{nonce}'" if nonce else ''
+        for p in csp_split:
+            directive = p.lstrip().split(' ')[0]
+            if directive in ('script-src') and nonce:
+                p += f" {nonce_directive}"
+            new_csp.append(p)
+
+        # Set the CSP header with the new policy including the nonce
+        response[header['name']] = "; ".join(new_csp)  # Added space for consistency after ";"
+        return response
 
 class MimeTypeJSFileFixStreamingMiddleware(MiddlewareMixin):
   """
@@ -973,20 +1079,6 @@ def __call__(self, request):
     return self.get_response(request)
 
 
-class CSPMiddleware:
-    def __init__(self, get_response):
-        self.get_response = get_response
-
-    def __call__(self, request):
-        nonce = base64.b64encode(os.urandom(16)).decode('utf-8')
-        request.csp_nonce = nonce  # Make nonce available in the request
-        response = self.get_response(request)
-        csp_policy = "script-src 'nonce-{}' 'strict-dynamic' 'unsafe-eval';".format(nonce)
-
-        response['Content-Security-Policy'] = csp_policy
-        return response
-
-
 class CacheControlMiddleware(MiddlewareMixin):
   def __init__(self, get_response):
     self.get_response = get_response
diff --git a/desktop/core/src/desktop/settings.py b/desktop/core/src/desktop/settings.py
index 4b296f4c0bc..aac8311f35d 100644
--- a/desktop/core/src/desktop/settings.py
+++ b/desktop/core/src/desktop/settings.py
@@ -167,7 +167,6 @@
     # 'axes.middleware.FailedLoginMiddleware',
     'desktop.middleware.MimeTypeJSFileFixStreamingMiddleware',
     'crequest.middleware.CrequestMiddleware',
-    'desktop.middleware.CSPMiddleware',
 ]
 
 # if os.environ.get(ENV_DESKTOP_DEBUG):
@@ -241,7 +240,7 @@
   'django.template.context_processors.request',
   'django.contrib.messages.context_processors.messages',
    # Not default
-  'desktop.context_processors.app_name',
+  'desktop.context_processors.app_name'
 )
 
 TEMPLATES = [
diff --git a/desktop/core/src/desktop/templates/common_footer.mako b/desktop/core/src/desktop/templates/common_footer.mako
index 444773b49e5..7053f3622e4 100644
--- a/desktop/core/src/desktop/templates/common_footer.mako
+++ b/desktop/core/src/desktop/templates/common_footer.mako
@@ -24,6 +24,8 @@ if sys.version_info[0] > 2:
   from django.utils.translation import gettext as _
 else:
   from django.utils.translation import ugettext as _
+
+from desktop.lib.django_util import nonce_attribute
 %>
 
 <%namespace name="commonHeaderFooterComponents" file="/common_header_footer_components.mako" />
@@ -34,7 +36,7 @@ ${ smart_unicode(login_modal(request).content) | n,unicode }
 
 <iframe id="zoomDetectFrame" style="width: 250px; display: none" ></iframe>
 
-${ commonHeaderFooterComponents.footer(messages, csp_nonce) }
+${ commonHeaderFooterComponents.footer(messages, nonce_attribute(request) ) }
 
   </body>
 </html>
diff --git a/desktop/core/src/desktop/templates/common_header.mako b/desktop/core/src/desktop/templates/common_header.mako
index b5f5428bfb4..e844a9c744d 100644
--- a/desktop/core/src/desktop/templates/common_header.mako
+++ b/desktop/core/src/desktop/templates/common_header.mako
@@ -30,7 +30,7 @@ if sys.version_info[0] > 2:
   from django.utils.translation import gettext as _
 else:
   from django.utils.translation import ugettext as _
-
+from desktop.lib.django_util import nonce_attribute
 home_url = url('desktop_views_home')
 if USE_NEW_EDITOR.get():
   home_url = url('desktop_views_home2')
@@ -89,7 +89,7 @@ if USE_NEW_EDITOR.get():
   <link href="${ static('desktop/css/hue3.css') }" rel="stylesheet">
   <link href="${ static('desktop/css/hue3-extra.css') }" rel="stylesheet">
 
-  <style type="text/css">
+  <style ${nonce_attribute(request)} type="text/css">
     % if banner_message or conf.CUSTOM.BANNER_TOP_HTML.get():
       body {
         display: none;
@@ -142,26 +142,24 @@ if USE_NEW_EDITOR.get():
   <%
     global_constants_url = '/desktop/globalJsConstants.js?v=' + hue_version()
   %>
-  <script nonce="${ request.csp_nonce }" src="${global_constants_url}"></script>
+  <script ${nonce_attribute(request)} src="${global_constants_url}"></script>
   % endif
 
   % if not conf.DEV.get():
-  <script nonce="${ request.csp_nonce }" src="${ static('desktop/js/hue.errorcatcher.js') }"></script>
+  <script ${nonce_attribute(request)} src="${ static('desktop/js/hue.errorcatcher.js') }"></script>
   % endif
 
   % for bundle in get_hue_bundles('login' if section == 'login' else 'hue', 'LOGIN' if section == 'login' else 'DEFAULT'):
-      ## Instead of trying to assign to a variable, directly operate within expressions.
-      ${render_bundle(bundle, config='LOGIN' if section == 'login' else 'DEFAULT').replace('<script ', '<script nonce="' + request.csp_nonce + '" ') | n}
+    ${ render_bundle(bundle, config='LOGIN' if section == 'login' else 'DEFAULT') | n,unicode }
   % endfor
 
-
-  <script nonce="${ request.csp_nonce }" src="${ static('desktop/js/bootstrap-tooltip.js') }"></script>
-  <script nonce="${ request.csp_nonce }" src="${ static('desktop/js/bootstrap-typeahead-touchscreen.js') }"></script>
-  <script nonce="${ request.csp_nonce }" src="${ static('desktop/ext/js/bootstrap-better-typeahead.min.js') }"></script>
-  <script nonce="${ request.csp_nonce }" src="${ static('desktop/js/popover-extra-placements.js') }"></script>
-  <script nonce="${ request.csp_nonce }" src="${ static('desktop/ext/js/moment-with-locales.min.js') }"></script>
-  <script nonce="${ request.csp_nonce }" src="${ static('desktop/ext/js/moment-timezone-with-data.min.js') }" type="text/javascript" charset="utf-8"></script>
-  <script nonce="${ request.csp_nonce }" src="${ static('desktop/ext/js/tzdetect.js') }" type="text/javascript" charset="utf-8"></script>
+  <script ${nonce_attribute(request)} src="${ static('desktop/js/bootstrap-tooltip.js') }"></script>
+  <script ${nonce_attribute(request)}  src="${ static('desktop/js/bootstrap-typeahead-touchscreen.js') }"></script>
+  <script ${nonce_attribute(request)}  src="${ static('desktop/ext/js/bootstrap-better-typeahead.min.js') }"></script>
+  <script ${nonce_attribute(request)}  src="${ static('desktop/js/popover-extra-placements.js') }"></script>
+  <script ${nonce_attribute(request)}  src="${ static('desktop/ext/js/moment-with-locales.min.js') }"></script>
+  <script ${nonce_attribute(request)}  src="${ static('desktop/ext/js/moment-timezone-with-data.min.js') }" type="text/javascript" charset="utf-8"></script>
+  <script ${nonce_attribute(request)}  src="${ static('desktop/ext/js/tzdetect.js') }" type="text/javascript" charset="utf-8"></script>
 
 % if user.is_authenticated:
   ${ hueAceAutocompleter.hueAceAutocompleter() }
@@ -170,9 +168,9 @@ if USE_NEW_EDITOR.get():
   ${ commonHeaderFooterComponents.header_pollers(user, is_s3_enabled, apps) }
 
 % if user.is_authenticated:
-  <script  nonce="${ request.csp_nonce }" src="${ static('desktop/ext/js/localforage.min.js') }"></script>
+  <script ${nonce_attribute(request)} src="${ static('desktop/ext/js/localforage.min.js') }"></script>
 
-  <script  nonce="${ request.csp_nonce }" type="text/javascript">
+  <script ${nonce_attribute(request)} type="text/javascript">
     $(document).ready(function () {
       localforage.config({
         version: 1.0,
@@ -202,7 +200,7 @@ ${ hueIcons.symbols() }
 
 
 % if hasattr(request, 'environ') and request.environ.get("PATH_INFO").find("/hue/") < 0:
-  <script  nonce="${ request.csp_nonce }">
+  <script  ${nonce_attribute(request)}>
     window.location.replace(window.HUE_BASE_URL || "/");
   </script>
 % endif
@@ -558,8 +556,8 @@ ${ hueIcons.symbols() }
   </ul>
 
   <!-- UserVoice JavaScript SDK -->
-  <script nonce="${ request.csp_nonce }" >(function(){var uv=document.createElement('script');uv.type='text/javascript';uv.async=true;uv.src='//widget.uservoice.com/8YpsDfIl1Y2sNdONoLXhrg.js';var s=document.getElementsByTagName('script')[0];s.parentNode.insertBefore(uv,s)})()</script>
-  <script nonce="${ request.csp_nonce }">
+  <script ${nonce_attribute(request)}>(function(){var uv=document.createElement('script');uv.type='text/javascript';uv.async=true;uv.src='//widget.uservoice.com/8YpsDfIl1Y2sNdONoLXhrg.js';var s=document.getElementsByTagName('script')[0];s.parentNode.insertBefore(uv,s)})()</script>
+  <script ${nonce_attribute(request)}>
   UserVoice = window.UserVoice || [];
   function showClassicWidget() {
     UserVoice.push(['showLightbox', 'classic_widget', {
diff --git a/desktop/core/src/desktop/templates/common_header_footer_components.mako b/desktop/core/src/desktop/templates/common_header_footer_components.mako
index 23c7a91bc80..d81ccb97653 100644
--- a/desktop/core/src/desktop/templates/common_header_footer_components.mako
+++ b/desktop/core/src/desktop/templates/common_header_footer_components.mako
@@ -30,10 +30,11 @@ if sys.version_info[0] > 2:
   from django.utils.translation import gettext as _
 else:
   from django.utils.translation import ugettext as _
+from desktop.lib.django_util import nonce_attribute
 %>
 
 <%def name="header_pollers(user, is_s3_enabled, apps)">
-  <script nonce="${request.csp_nonce}" type="text/javascript">
+  <script ${nonce_attribute(request)} type="text/javascript">
     Dropzone.autoDiscover = false;
     moment.locale(window.navigator.userLanguage || window.navigator.language);
     localeFormat = function (time) {
@@ -230,7 +231,7 @@ else:
 
 </%def>
 
-<%def name="footer(messages, csp_nonce)">
+<%def name="footer(messages, nonce)">
 
 <div id="progressStatus" class="uploadstatus well hide">
   <h4>${ _('Upload progress') }</h4>
@@ -267,7 +268,7 @@ else:
 
 <div class="clipboard-content"></div>
 
-<script nonce="${request.csp_nonce if request else csp_nonce}" type="text/javascript">
+<script ${nonce_attribute(request)} type="text/javascript">
 
   $(document).ready(function () {
 
diff --git a/desktop/core/src/desktop/templates/common_notebook_ko_components.mako b/desktop/core/src/desktop/templates/common_notebook_ko_components.mako
index 53930a37747..2166b82f4bc 100644
--- a/desktop/core/src/desktop/templates/common_notebook_ko_components.mako
+++ b/desktop/core/src/desktop/templates/common_notebook_ko_components.mako
@@ -29,6 +29,7 @@ if sys.version_info[0] > 2:
   from django.utils.translation import gettext as _
 else:
   from django.utils.translation import ugettext as _
+from desktop.lib.django_util import nonce_attribute
 %>
 
 
@@ -74,7 +75,7 @@ else:
     </div>
   </script>
 
-  <script type="text/javascript" nonce="${request.csp_nonce}">
+  <script type="text/javascript"  ${nonce_attribute(request)}>
     (function () {
       var WHEEL_RADIUS = 75;
       var PLUS_ICON_RADIUS = 27.859; // FA-5X
@@ -353,7 +354,7 @@ else:
     </div>
   </script>
 
-  <script type="text/javascript" nonce="${request.csp_nonce}">
+  <script type="text/javascript" ${nonce_attribute(request)} >
     (function () {
 
       function DownloadResultsViewModel (params, element) {
@@ -778,7 +779,7 @@ else:
     </div>
   </script>
 
-  <script type="text/javascript" nonce="${request.csp_nonce}">
+  <script type="text/javascript"  ${nonce_attribute(request)} >
     (function () {
 
       function AceKeyboardShortcutsViewModel () {
diff --git a/desktop/core/src/desktop/templates/config_ko_components.mako b/desktop/core/src/desktop/templates/config_ko_components.mako
index 5546e91e285..a9f3c7837db 100644
--- a/desktop/core/src/desktop/templates/config_ko_components.mako
+++ b/desktop/core/src/desktop/templates/config_ko_components.mako
@@ -24,6 +24,7 @@ if sys.version_info[0] > 2:
   from django.utils.translation import gettext as _
 else:
   from django.utils.translation import ugettext as _
+from desktop.lib.django_util import nonce_attribute
 %>
 
 <%def name="config()">
@@ -124,7 +125,7 @@ else:
     </div>
   </script>
 
-  <script nonce="${request.csp_nonce}" type="text/javascript">
+  <script ${nonce_attribute(request)} type="text/javascript">
     (function () {
       function MultiGroupAlternative(alt, params, initiallyChecked) {
         var self = this;
@@ -215,7 +216,7 @@ else:
     })();
   </script>
 
-  <script nonce="${request.csp_nonce}" type="text/javascript">
+  <script  ${nonce_attribute(request)} type="text/javascript">
     (function () {
 
       function PropertySelectorViewModel(params) {
@@ -297,7 +298,7 @@ else:
     })();
   </script>
 
-  <script nonce="${request.csp_nonce}" type="text/html" id="property">
+  <script  ${nonce_attribute(request)} type="text/html" id="property">
     <div class="config-property" data-bind="visibleOnHover: { selector: '.hover-actions' }">
       <label class="config-label" data-bind="click: function(data, event){ $(event.target).siblings('.config-controls').find('.config-property-add-value a').click(); }">
         <!-- ko text: label --><!-- /ko --><!-- ko if: typeof helpText !== 'undefined' --><div class="property-help" data-bind="tooltip: { title: helpText(), placement: 'bottom' }"><i class="fa fa-question-circle-o"></i></div><!-- /ko -->
@@ -365,7 +366,7 @@ else:
     <input type="text" class="input-small" data-bind="numericTextInput: { value: value, precision: 0, allowEmpty: true }" /> <select class="input-mini" data-bind="options: units, value: selectedUnit"></select>
   </script>
 
-  <script nonce="${request.csp_nonce}"  type="text/javascript">
+  <script  ${nonce_attribute(request)}  type="text/javascript">
     (function () {
       var JVM_MEM_PATTERN = /([0-9]+)([MG])$/;
       var UNITS = {'MB': 'M', 'GB': 'G'};
@@ -427,7 +428,7 @@ else:
     <div class="clearfix"></div>
   </script>
 
-  <script nonce="${request.csp_nonce}" type="text/javascript">
+  <script  ${nonce_attribute(request)} type="text/javascript">
     (function () {
 
       function KeyValueListInputViewModel(params) {
@@ -530,7 +531,7 @@ else:
     </div>
   </script>
 
-  <script nonce="${request.csp_nonce}" type="text/javascript">
+  <script  ${nonce_attribute(request)} type="text/javascript">
     (function () {
 
       function NameValueListInputViewModel(params) {
@@ -595,7 +596,7 @@ else:
     </div>
   </script>
 
-  <script nonce="${request.csp_nonce}" type="text/javascript">
+  <script  ${nonce_attribute(request)} type="text/javascript">
     (function () {
 
       function FunctionListInputViewModel(params) {
@@ -649,7 +650,7 @@ else:
     </div>
   </script>
 
-  <script nonce="${request.csp_nonce}"  type="text/javascript">
+  <script  ${nonce_attribute(request)}  type="text/javascript">
     (function () {
 
       var identifyType = function (path) {
@@ -729,7 +730,7 @@ else:
     </div>
   </script>
 
-  <script nonce="${request.csp_nonce}" type="text/javascript">
+  <script  ${nonce_attribute(request)} type="text/javascript">
     (function () {
       function CsvListInputViewModel(params) {
         this.valueObservable = params.value;
diff --git a/desktop/core/src/desktop/templates/hue.mako b/desktop/core/src/desktop/templates/hue.mako
index 74ede4f69e0..891b8b33457 100644
--- a/desktop/core/src/desktop/templates/hue.mako
+++ b/desktop/core/src/desktop/templates/hue.mako
@@ -24,6 +24,7 @@
   from desktop.models import hue_version
   from desktop.views import _ko, commonshare, login_modal
   from desktop.webpack_utils import get_hue_bundles
+  from desktop.lib.django_util import nonce_attribute
 
   from webpack_loader.templatetags.webpack_loader import render_bundle
 
@@ -43,9 +44,10 @@
 
   % if conf.COLLECT_USAGE.get():
     <!-- Google tag (gtag.js) -->
-    <script nonce="${request.csp_nonce}" async src="https://www.googletagmanager.com/gtag/js?id=${conf.GTAG_ID.get()}"></script>
-    <script nonce="${request.csp_nonce}" >
+    <script ${nonce_attribute(request)} async src="https://www.googletagmanager.com/gtag/js?id=${conf.GTAG_ID.get()}"></script>
+    <script ${nonce_attribute(request)} >
       window.dataLayer = window.dataLayer || [];
+      window.nonce="${request.csp_nonce}";
       function gtag(){dataLayer.push(arguments);}
       gtag('js', new Date());
 
@@ -93,10 +95,10 @@
   <%
     global_constants_url = '/desktop/globalJsConstants.js?v=' + hue_version()
   %>
-  <script nonce="${request.csp_nonce}"  src="${global_constants_url}"></script>
+  <script ${nonce_attribute(request)}   src="${global_constants_url}"></script>
 
   % if not conf.DEV.get():
-  <script nonce="${request.csp_nonce}"  src="${ static('desktop/js/hue.errorcatcher.js') }"></script>
+  <script ${nonce_attribute(request)}   src="${ static('desktop/js/hue.errorcatcher.js') }"></script>
   % endif
 </head>
 
@@ -110,8 +112,8 @@
   </ul>
 
   <!-- UserVoice JavaScript SDK -->
-  <script nonce="${request.csp_nonce}" >(function(){var uv=document.createElement('script');uv.type='text/javascript';uv.async=true;uv.src='//widget.uservoice.com/8YpsDfIl1Y2sNdONoLXhrg.js';var s=document.getElementsByTagName('script')[0];s.parentNode.insertBefore(uv,s)})()</script>
-  <script nonce="${request.csp_nonce}" >
+  <script ${nonce_attribute(request)}  >(function(){var uv=document.createElement('script');uv.type='text/javascript';uv.async=true;uv.src='//widget.uservoice.com/8YpsDfIl1Y2sNdONoLXhrg.js';var s=document.getElementsByTagName('script')[0];s.parentNode.insertBefore(uv,s)})()</script>
+  <script ${nonce_attribute(request)}  >
   UserVoice = window.UserVoice || [];
   function showClassicWidget() {
     UserVoice.push(['showLightbox', 'classic_widget', {
@@ -296,25 +298,24 @@ ${ hueIcons.symbols() }
 ${ commonshare() | n,unicode }
 
 % for bundle in get_hue_bundles('login' if section == 'login' else 'hue', 'LOGIN' if section == 'login' else 'DEFAULT'):
-  <% text = render_bundle(bundle, config='LOGIN' if section == 'login' else 'DEFAULT').replace('<script ', '<script nonce="' + request.csp_nonce + '" ') %>
+  <% text = render_bundle(bundle, config='LOGIN' if section == 'login' else 'DEFAULT').replace('<script ', '<script' + nonce_attribute(request) + ' ') %>
   ${ text | n}
 % endfor
 
+<script ${nonce_attribute(request)}  src="${ static('desktop/js/polyfills.js') }"></script>
+<script ${nonce_attribute(request)}  src="${ static('desktop/ext/js/tether.js') }"></script>
+<script ${nonce_attribute(request)}  src="${ static('desktop/ext/js/moment-with-locales.min.js') }"></script>
+<script ${nonce_attribute(request)}  src="${ static('desktop/ext/js/moment-timezone-with-data.min.js') }"></script>
+<script ${nonce_attribute(request)}  src="${ static('desktop/ext/js/tzdetect.js') }"></script>
 
-<script nonce="${request.csp_nonce}" src="${ static('desktop/js/polyfills.js') }"></script>
-<script nonce="${request.csp_nonce}" src="${ static('desktop/ext/js/tether.js') }"></script>
-<script nonce="${request.csp_nonce}" src="${ static('desktop/ext/js/moment-with-locales.min.js') }"></script>
-<script nonce="${request.csp_nonce}" src="${ static('desktop/ext/js/moment-timezone-with-data.min.js') }"></script>
-<script nonce="${request.csp_nonce}" src="${ static('desktop/ext/js/tzdetect.js') }"></script>
+<script ${nonce_attribute(request)}  src="${ static('desktop/ext/js/bootstrap-fileupload.js') }"></script>
+<script ${nonce_attribute(request)}  src="${ static('desktop/js/bootstrap-tooltip.js') }"></script>
+<script ${nonce_attribute(request)}  src="${ static('desktop/js/bootstrap-typeahead-touchscreen.js') }"></script>
+<script ${nonce_attribute(request)}  src="${ static('desktop/ext/js/bootstrap-better-typeahead.min.js') }"></script>
 
-<script nonce="${request.csp_nonce}" src="${ static('desktop/ext/js/bootstrap-fileupload.js') }"></script>
-<script nonce="${request.csp_nonce}" src="${ static('desktop/js/bootstrap-tooltip.js') }"></script>
-<script nonce="${request.csp_nonce}" src="${ static('desktop/js/bootstrap-typeahead-touchscreen.js') }"></script>
-<script nonce="${request.csp_nonce}" src="${ static('desktop/ext/js/bootstrap-better-typeahead.min.js') }"></script>
+<script ${nonce_attribute(request)}  src="${ static('desktop/js/share2.vm.js') }"></script>
 
-<script nonce="${request.csp_nonce}" src="${ static('desktop/js/share2.vm.js') }"></script>
-
-<script nonce="${request.csp_nonce}" >
+<script ${nonce_attribute(request)}  >
   var shareViewModel = initSharing("#documentShareModal");
 </script>
 
@@ -336,7 +337,7 @@ ${ smart_unicode(login_modal(request).content) | n,unicode }
 
 <iframe id="zoomDetectFrame" style="width: 250px; display: none" ></iframe>
 
-${ commonHeaderFooterComponents.footer(messages, csp_nonce) }
+${ commonHeaderFooterComponents.footer(messages, nonce) }
 
 ## This includes common knockout templates that are shared with the Job Browser page and the mini job browser panel
 ## available in the upper right corner throughout Hue
diff --git a/desktop/core/src/desktop/templates/hue_ace_autocompleter.mako b/desktop/core/src/desktop/templates/hue_ace_autocompleter.mako
index 5627f5a358d..aa0f94d4089 100644
--- a/desktop/core/src/desktop/templates/hue_ace_autocompleter.mako
+++ b/desktop/core/src/desktop/templates/hue_ace_autocompleter.mako
@@ -23,6 +23,7 @@ if sys.version_info[0] > 2:
   from django.utils.translation import gettext as _
 else:
   from django.utils.translation import ugettext as _
+from desktop.lib.django_util import nonce_attribute
 %>
 
 <%def name="hueAceAutocompleter()">
@@ -356,7 +357,7 @@ else:
   </script>
 
 
-  <script type="text/javascript" nonce="${request.csp_nonce}">
+  <script type="text/javascript" ${nonce_attribute(request)}>
     (function () {
 
       var aceUtil = ace.require('ace/autocomplete/util');
@@ -722,7 +723,7 @@ else:
     <!-- /ko -->
   </script>
 
-  <script type="text/javascript" nonce="${request.csp_nonce}">
+  <script type="text/javascript" ${nonce_attribute(request)}>
     (function () {
 
       var COMMENT_LOAD_DELAY = 1500;
diff --git a/desktop/core/src/desktop/templates/login.mako b/desktop/core/src/desktop/templates/login.mako
index 215b2d62c33..7b62f6dd1f4 100644
--- a/desktop/core/src/desktop/templates/login.mako
+++ b/desktop/core/src/desktop/templates/login.mako
@@ -21,11 +21,11 @@
 
   from desktop.conf import CUSTOM, ENABLE_ORGANIZATIONS
   from desktop.views import commonheader, commonfooter
-
   if sys.version_info[0] > 2:
     from django.utils.translation import gettext as _
   else:
     from django.utils.translation import ugettext as _
+  from desktop.lib.django_util import nonce_attribute
 %>
 
 <%namespace name="hueIcons" file="/hue_icons.mako" />
@@ -161,7 +161,7 @@ ${ commonheader(_("Welcome to Hue"), "login", user, request, "50px", True, True)
    % endif
 </div>
 
-<script nonce="${ request.csp_nonce }">
+<script ${nonce_attribute(request)}>
   $(document).ready(function () {
     $("form").on("submit", function () {
       window.setTimeout(function () {
@@ -195,4 +195,4 @@ ${ commonheader(_("Welcome to Hue"), "login", user, request, "50px", True, True)
   });
 </script>
 
-${ commonfooter(None, messages, False, request.csp_nonce) | n,unicode }
+${ commonfooter(request, messages, nonce ) | n,unicode }
diff --git a/desktop/core/src/desktop/templates/login_modal.mako b/desktop/core/src/desktop/templates/login_modal.mako
index 4e4f9a5f389..1187e296e9b 100644
--- a/desktop/core/src/desktop/templates/login_modal.mako
+++ b/desktop/core/src/desktop/templates/login_modal.mako
@@ -22,7 +22,7 @@
     from django.utils.translation import gettext as _
   else:
     from django.utils.translation import ugettext as _
-
+  from desktop.lib.django_util import nonce_attribute
   from useradmin.hue_password_policy import is_password_policy_enabled, get_password_hint
 %>
 
@@ -49,7 +49,7 @@
   </div>
 </div>
 
-<script nonce="${request.csp_nonce}">
+<script ${nonce_attribute(request)} >
   $(document).ready(function () {
     $('.reload').on('click', function () {
       location.reload();
diff --git a/desktop/core/src/desktop/views.py b/desktop/core/src/desktop/views.py
index 35bff60f94d..9fb4120c09c 100644
--- a/desktop/core/src/desktop/views.py
+++ b/desktop/core/src/desktop/views.py
@@ -68,6 +68,7 @@
 from libsaml.conf import REQUIRED_GROUPS, REQUIRED_GROUPS_ATTRIBUTE
 from useradmin.models import get_profile
 from useradmin.models import User
+from django.utils.html import format_html
 
 if sys.version_info[0] > 2:
   from io import StringIO as string_io
@@ -655,7 +656,7 @@ def commonfooter_m(request, messages=None):
   return commonfooter(request, messages, True)
 
 
-def commonfooter(request, messages=None, is_mobile=False, csp_nonce=None):
+def commonfooter(request, messages=None, is_mobile=False):
   """
   Returns the rendered common footer
   """
@@ -669,7 +670,6 @@ def commonfooter(request, messages=None, is_mobile=False, csp_nonce=None):
     template = 'common_footer_m.mako'
   return django_mako.render_to_string(template, {
     'request': request,
-    'csp_nonce': csp_nonce,
     'messages': messages,
     'version': hue_version(),
     'collect_usage': collect_usage(),
diff --git a/desktop/libs/notebook/src/notebook/templates/editor2.mako b/desktop/libs/notebook/src/notebook/templates/editor2.mako
index 18cfa927b59..9741e6c0e52 100644
--- a/desktop/libs/notebook/src/notebook/templates/editor2.mako
+++ b/desktop/libs/notebook/src/notebook/templates/editor2.mako
@@ -25,6 +25,7 @@
     from django.utils.translation import gettext as _
   else:
     from django.utils.translation import ugettext as _
+  from desktop.lib.django_util import nonce_attribute
 %>
 
 <%namespace name="configKoComponents" file="/config_ko_components.mako" />
@@ -1069,7 +1070,7 @@ There is no bridge to KO for components using this integration. Example using in
   </div>
 </div>
 
-<script type="text/javascript">
+<script ${nonce_attribute(request)} type="text/javascript">
   window.EDITOR_BINDABLE_ELEMENT = '#editorComponents';
 
   window.EDITOR_SUFFIX = 'editor';
diff --git a/desktop/libs/notebook/src/notebook/templates/editor_components.mako b/desktop/libs/notebook/src/notebook/templates/editor_components.mako
index 24ad6624757..832fc33f7a7 100644
--- a/desktop/libs/notebook/src/notebook/templates/editor_components.mako
+++ b/desktop/libs/notebook/src/notebook/templates/editor_components.mako
@@ -24,7 +24,7 @@ from desktop.auth.backend import is_admin
 from desktop.lib.i18n import smart_unicode
 from desktop.views import _ko, antixss
 from desktop.webpack_utils import get_hue_bundles
-
+from desktop.lib.django_util import nonce_attribute
 from metadata.conf import has_optimizer, OPTIMIZER
 
 from notebook.conf import ENABLE_QUERY_BUILDER, ENABLE_QUERY_SCHEDULING, ENABLE_BATCH_EXECUTE, ENABLE_EXTERNAL_STATEMENT, ENABLE_PRESENTATION
@@ -2054,7 +2054,7 @@ else:
 
 <%def name="commonJS(is_embeddable=False, bindableElement='editorComponents', suffix='')">
 
-<script type="text/javascript">
+<script ${nonce_attribute(request)} type="text/javascript">
   window.EDITOR_BINDABLE_ELEMENT = '#${ bindableElement }';
 
   window.EDITOR_SUFFIX = '${ suffix }';

From c436ac2e64f2650a0032d93e9a8afb20b5f5cddf Mon Sep 17 00:00:00 2001
From: tabraiz <tabraiz@cloudera.com>
Date: Mon, 16 Sep 2024 10:13:29 +0530
Subject: [PATCH 5/7] remove unsafe-inline from scripts

---
 desktop/core/src/desktop/middleware.py | 20 ++++++++++++++------
 1 file changed, 14 insertions(+), 6 deletions(-)

diff --git a/desktop/core/src/desktop/middleware.py b/desktop/core/src/desktop/middleware.py
index 40cc3d55a92..91ff52188ac 100644
--- a/desktop/core/src/desktop/middleware.py
+++ b/desktop/core/src/desktop/middleware.py
@@ -1009,16 +1009,24 @@ def process_response(self, request, response):
         nonce = getattr(request, 'csp_nonce', None)
         csp_split = header['csp'].split(';')
         new_csp = []
-        
         nonce_directive = f"'nonce-{nonce}'" if nonce else ''
+
         for p in csp_split:
             directive = p.lstrip().split(' ')[0]
-            if directive in ('script-src') and nonce:
-                p += f" {nonce_directive}"
-            new_csp.append(p)
+            if nonce:
+                # Remove unsafe-inline from scripts
+                # TODO remove unsafe-inline from styles
+                if directive in ('script-src'):
+                    new_directive_parts = [part for part in p.split(' ') if part and part != "'unsafe-inline'"]
+                    new_directive_parts.append(nonce_directive)
+                    new_csp.append(' '.join(new_directive_parts))
+                else:
+                    new_csp.append(p)
+            else:
+                new_csp.append(p)
+
+        response[header['name']] = "; ".join(new_csp).strip() + ';'
 
-        # Set the CSP header with the new policy including the nonce
-        response[header['name']] = "; ".join(new_csp)  # Added space for consistency after ";"
         return response
 
 class MimeTypeJSFileFixStreamingMiddleware(MiddlewareMixin):

From eb867d2fb099ee2f4bf0cfbfaeba9e1ac895d780 Mon Sep 17 00:00:00 2001
From: Mohammed Tabraiz <tabraiz@cloudera.com>
Date: Mon, 30 Sep 2024 12:36:28 +0530
Subject: [PATCH 6/7] Review changes

---
 desktop/conf.dist/hue.ini                   |  3 +++
 desktop/core/src/desktop/lib/django_util.py |  7 +++--
 desktop/core/src/desktop/middleware.py      | 30 +++++++--------------
 3 files changed, 15 insertions(+), 25 deletions(-)

diff --git a/desktop/conf.dist/hue.ini b/desktop/conf.dist/hue.ini
index 2ea34fd5c1d..8edd7359576 100644
--- a/desktop/conf.dist/hue.ini
+++ b/desktop/conf.dist/hue.ini
@@ -137,6 +137,9 @@ http_500_debug_mode=false
 # X-Content-Type-Options: nosniff This is a HTTP response header feature that helps prevent attacks based on MIME-type confusion.
 ## secure_content_security_policy="script-src 'self' 'unsafe-inline' 'unsafe-eval' *.googletagmanager.com *.doubleclick.net data:;img-src 'self' *.doubleclick.net http://*.tile.osm.org *.tile.osm.org *.gstatic.com data:;style-src 'self' 'unsafe-inline' fonts.googleapis.com;connect-src 'self' *.google-analytics.com;frame-src *;child-src 'self' data: *.vimeo.com;object-src 'none'"
 
+# Enable nonce attribute to remove unsafe-inline and auto remove unsafe-inline from csp 
+## csp_nonce=True
+
 # Strict-Transport-Security HTTP Strict Transport Security(HSTS) is a policy which is communicated by the server to the user agent via HTTP response header field name "Strict-Transport-Security". HSTS policy specifies a period of time during which the user agent(browser) should only access the server in a secure fashion(https).
 ## secure_ssl_redirect=False
 ## secure_redirect_host=0.0.0.0
diff --git a/desktop/core/src/desktop/lib/django_util.py b/desktop/core/src/desktop/lib/django_util.py
index 369ec619e6f..6ac5ed35cf1 100644
--- a/desktop/core/src/desktop/lib/django_util.py
+++ b/desktop/core/src/desktop/lib/django_util.py
@@ -504,11 +504,10 @@ def __init__(self, data, encoder=DjangoJSONEncoder, safe=True,
     super(JsonResponse, self).__init__(content=data, **kwargs)
 
 
-def nonce_attribute(context):
-    # Assuming 'csp_nonce' is set in the context and CSP_NONCE controls its usage
-
+def nonce_attribute(request):
+    # Assuming 'csp_nonce' is set in the request and CSP_NONCE controls its usage
     if desktop.conf.CSP_NONCE.get():
-        csp_nonce = context.csp_nonce
+        csp_nonce = request.csp_nonce
         if csp_nonce:
             return f' nonce={csp_nonce}'
     return ''
\ No newline at end of file
diff --git a/desktop/core/src/desktop/middleware.py b/desktop/core/src/desktop/middleware.py
index 91ff52188ac..05ecb8adde7 100644
--- a/desktop/core/src/desktop/middleware.py
+++ b/desktop/core/src/desktop/middleware.py
@@ -30,6 +30,7 @@
 import tempfile
 import time
 import traceback
+import secrets
 
 import kerberos
 import django.db
@@ -69,18 +70,8 @@
 
 from libsaml.conf import CDP_LOGOUT_URL
 from urllib.parse import urlparse
-
-import base64
 import os
 
-# Number of random bytes in the nonce:
-NONCE_BYTES = 24
-
-def generate_nonce():
-    """ Return a unique base64 encoded nonce hash."""
-    nonce = os.urandom(NONCE_BYTES)
-    return base64.b64encode(nonce).decode()
-
 
 def nonce_exists(response):
     """Check for preexisting nonce in style and script.
@@ -90,12 +81,11 @@ def nonce_exists(response):
 
      Returns:
          nonce_found (dict): Dictionary of nonces found
-         has_nonce (bool): True if any nonce has been found
      """
     try:
         csp = response['Content-Security-Policy']
     except KeyError:
-        csp = response['Content-Security-Policy-Report-Only']
+        csp = response.get('Content-Security-Policy-Report-Only', '')
 
     nonce_found = {}
 
@@ -109,10 +99,7 @@ def nonce_exists(response):
             if 'style-src' in directive:
                 nonce_found['style'] = directive
 
-    has_nonce = any(nonce_found)
-
-    return nonce_found, has_nonce
-
+    return nonce_found
 
 def get_header(response):
     """Get the CSP header type.
@@ -986,22 +973,23 @@ def __init__(self, get_response):
             raise exceptions.MiddlewareNotUsed
 
     def process_request(self, request):
-        nonce = generate_nonce()
+        nonce = secrets.token_urlsafe()
         request.csp_nonce = nonce
 
     def process_response(self, request, response):
-        # Add the secure CSP if it doesn't exist
+        if self.secure_content_security_policy and 'Content-Security-Policy' not in response:
+            response["Content-Security-Policy"] = self.secure_content_security_policy
+        
         if not CSP_NONCE.get():
           return response
 
-        if self.secure_content_security_policy and 'Content-Security-Policy' not in response:
-            response["Content-Security-Policy"] = self.secure_content_security_policy
 
         header = get_header(response)
         if not header or not hasattr(request, 'csp_nonce'):
             return response
 
-        nonce_found, has_nonce = nonce_exists(response)
+        nonce_found = nonce_exists(response)
+        has_nonce = bool(nonce_found)
         if has_nonce:
             logger.error("Nonce already exists: {}".format(nonce_found))
             return response

From fd903940db312d8956f50854327adb53b2945f06 Mon Sep 17 00:00:00 2001
From: Mohammed Tabraiz <tabraiz@cloudera.com>
Date: Mon, 30 Sep 2024 12:56:49 +0530
Subject: [PATCH 7/7] fixes to unsafe-fixes

---
 desktop/core/src/desktop/conf.py | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/desktop/core/src/desktop/conf.py b/desktop/core/src/desktop/conf.py
index 5d23e7e4338..070a8d4884e 100644
--- a/desktop/core/src/desktop/conf.py
+++ b/desktop/core/src/desktop/conf.py
@@ -398,10 +398,15 @@ def has_ssl_no_renegotiation():
 
 CSP_NONCE = Config(
   key="csp_nonce",
-  help=_('CSP NONCE can be true or false'),
+  help=_(
+    'Enables or disables the use of a cryptographic nonce in Content Security '
+    'Policy headers. When set to true, a unique nonce will be generated for each '
+    'request, and used in scripts and styles'
+  ),
   type=coerce_bool,
   default=False)
 
+
 SECURE_SSL_REDIRECT = Config(
   key="secure_ssl_redirect",
   help=_('If all non-SSL requests should be permanently redirected to SSL.'),