Merge branch 'feature-DATAAPI-41_csp-nonce-support' into hotfix-3.7.5

Author: DominicWatson

handlers/rest-apis/data/v1/docs/Html.cfc

@@ -15,6 +15,8 @@ component {
 
 		args.spec = variables[ "_spec#api#" ];
 
+		event?.setContentSecurityPolicy( "default-src 'self'; style-src 'self' 'unsafe-inline' 'nonce-#event?.getRequestNonce()#'" );
+
 		restResponse.setData( Trim( renderView( view="/dataApiHtmlDocs/index", args=args ) ) );
 		restResponse.setMimeType( "text/html" );
 		restResponse.setRenderer( "html" );

handlers/rest-apis/data/v1/docs/Swagger.cfc

@@ -22,6 +22,8 @@ component {
 			args.favicon = event.buildLink( systemStaticAsset="/extension/preside-ext-data-api/assets/favicon-32x32.png" );
 		}
 
+		event?.setContentSecurityPolicy( "default-src 'self'; img-src 'self' data:; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; worker-src blob:;" );
+
 		restResponse.setData( Trim( renderView( view="/swaggerLayout", args=args ) ) );
 		restResponse.setMimeType( "text/html" );
 		restResponse.setRenderer( "html" );

views/dataApiHtmlDocs/index.cfm

@@ -14,7 +14,7 @@
 		<cfif Len( Trim( spec.info[ "x-favicon" ] ?: "" ) )>
 			<link rel="shortcut icon" href="#spec.info[ "x-favicon" ]#" type="image/x-icon" />
 		</cfif>
-		<style>
+		<style nonce="#event?.getRequestNonce()#">
 			<cfinclude template="htmlDocsCss.css" />
 		</style>
 	</head>

views/swaggerLayout.cfm

@@ -11,7 +11,7 @@
     <!--
     ReDoc doesn't change outer page styles
     -->
-    <style>
+    <style nonce="#event?.getRequestNonce()#">
       body {
         margin: 0;
         padding: 0;