1 files changed, 22 insertions, 7 deletions

diff --git a/src/main.rs b/src/main.rs
index 5c9f10c..4d0c1b3 100644
--- a/src/main.rs
+++ b/src/main.rs
@@ -214,14 +214,21 @@ async fn service<C: Controller>(
 ) -> Result<HyperResponse, Infallible> {
     let (mut parts, body) = request.into_parts();
 
+    let mut script_csp = "'none'".into();
+
     let mut resp = build_response(args, &*controller, &mut parts, body)
         .await
         .map(|resp| match resp {
             Response::Raw(resp) => resp,
-            Response::Page(page) => Builder::new()
-                .content_type(mime::TEXT_HTML)
-                .body(render_page(&page, &*controller, &parts).into())
-                .unwrap(),
+            Response::Page(page) => {
+                if !page.script_src.is_empty() {
+                    script_csp = page.script_src.join(" ");
+                }
+                Builder::new()
+                    .content_type(mime::TEXT_HTML)
+                    .body(render_page(&page, &*controller, &parts).into())
+                    .unwrap()
+            }
         })
         .unwrap_or_else(|err| {
             let (status, message) = match err {
@@ -257,9 +264,9 @@ async fn service<C: Controller>(
     resp.headers_mut().insert(
         header::CONTENT_SECURITY_POLICY,
         format!(
-            "default-src 'self'; frame-src 'none'; script-src 'sha256-{}'; style-src 'sha256-{}'",
-            include_str!("static/edit_script.js.sha256"),
-            include_str!("static/style.css.sha256"),
+            "default-src 'self'; frame-src 'none'; script-src {}; style-src {}",
+            script_csp,
+            include_str!("static/style.css.sha"),
         )
         .parse()
         .unwrap(),
@@ -267,10 +274,15 @@ async fn service<C: Controller>(
     Ok(resp)
 }
 
+#[derive(Default)]
 pub struct Page {
     title: String,
     header: Option<String>,
     body: String,
+    /// will be embedded as inline <script> tags
+    scripts: Vec<&'static str>,
+    /// for the Content Security Policy
+    script_src: Vec<&'static str>,
 }
 
 fn render_page<C: Controller>(page: &Page, controller: &C, parts: &Parts) -> String {
@@ -289,6 +301,9 @@ fn render_page<C: Controller>(page: &Page, controller: &C, parts: &Parts) -> Str
     );
     out.push_str("</header>");
     out.push_str(&page.body);
+    for script in &page.scripts {
+        out.push_str(&format!("<script>{}</script>", script));
+    }
     out.push_str("</body></html>");
     out
 }