From f692db53878cd16dddc77ab5bc7684164bd402ee Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Alexander=20Rie=C3=9F?= <alexander.riess@icinga.com>
Date: Thu, 12 Mar 2026 13:18:24 +0100
Subject: [PATCH] Allow for the usage of {style_nonce} in the custom CSP-Header
 setting

---
 library/Icinga/Util/Csp.php | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/library/Icinga/Util/Csp.php b/library/Icinga/Util/Csp.php
index 44716c4bd..a82c9cb67 100644
--- a/library/Icinga/Util/Csp.php
+++ b/library/Icinga/Util/Csp.php
@@ -157,12 +157,26 @@ class Csp
     {
         $config = Config::app();
         if ($config->get('security', 'use_custom_csp', 'y') === 'y') {
-            return $config->get('security', 'custom_csp', '');
+            return self::getCustomContentSecurityPolicy();
         }
 
         return self::getAutomaticContentSecurityPolicy();
     }
 
+    public static function getCustomContentSecurityPolicy(): ?string
+    {
+        $csp = static::getInstance();
+
+        if (empty($csp->styleNonce)) {
+            throw new RuntimeException('No nonce set for CSS');
+        }
+
+        $config = Config::app();
+        $raw = $config->get('security', 'custom_csp');
+        $formated = str_replace('{style_nonce}', "'nonce{$csp->styleNonce}'", $raw);
+        return $formated;
+    }
+
     /**
      * Get the automatically generated Content-Security-Policy.
      *