From e0106a6e527b2f69d181865c3786c9ad76ae80ca Mon Sep 17 00:00:00 2001
From: djmaze <djmaze@djmaze.lan>
Date: Wed, 28 Jul 2021 14:41:43 +0200
Subject: [PATCH] CSP 'unsafe-eval' required for Knockout.js, see issue #103

---
 snappymail/v/0.0.0/app/libraries/RainLoop/Service.php | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/snappymail/v/0.0.0/app/libraries/RainLoop/Service.php b/snappymail/v/0.0.0/app/libraries/RainLoop/Service.php
index 7c13386f9a..da6e351f95 100644
--- a/snappymail/v/0.0.0/app/libraries/RainLoop/Service.php
+++ b/snappymail/v/0.0.0/app/libraries/RainLoop/Service.php
@@ -207,7 +207,9 @@ private function setCSP(string $sScriptNonce = null) : void
 			if ($sScriptNonce) {
 				$sContentSecurityPolicy = \preg_replace("/(script-src[^;]+)'unsafe-inline'/", "\$1'nonce-{$sScriptNonce}'", $sContentSecurityPolicy);
 			}
-			$sContentSecurityPolicy = \preg_replace("/(script-src[^;]+)'unsafe-inline'/", '', $sContentSecurityPolicy);
+			$sContentSecurityPolicy = \preg_replace("/(script-src[^;]+)'unsafe-inline'/", '$1', $sContentSecurityPolicy);
+			// Knockout.js requires eval() for observable binding purposes
+			//$sContentSecurityPolicy = \preg_replace("/(script-src[^;]+)'unsafe-eval'/", '$1', $sContentSecurityPolicy);
 		}
 		\header('Content-Security-Policy: '.$sContentSecurityPolicy, true);
 	}