From 583328ef11e33feb43c1a5299b51c3a19790ad93 Mon Sep 17 00:00:00 2001
From: Maniack Crudelis <maniackcrudelis@users.noreply.github.com>
Date: Thu, 8 Mar 2018 00:17:00 +0100
Subject: [PATCH] Allow eval
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The blank page, instead of a login prompt, is linked to this error: `Content Security Policy: The page’s settings blocked the loading of a resource at self (“script-src https: 'unsafe-eval'”)`
Maybe it's something about [this line](https://github.com/shellinabox/shellinabox/blob/d4bd77ca45a24befcd08f9046f450bd9eda8646b/shellinabox/shell_in_a_box.jspp#L200)

The only way I found to fix that is to allow to use eval.
---
 conf/nginx.conf | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/conf/nginx.conf b/conf/nginx.conf
index 374702d..e172ad6 100644
--- a/conf/nginx.conf
+++ b/conf/nginx.conf
@@ -10,6 +10,9 @@ location __PATH__ {
   tcp_nodelay on;
   access_log off;
   
+  # Allow shellinabox to use 'eval' without blocking the execution. But keep a warning.
+  add_header Content-Security-Policy-Report-Only "script-src https: 'unsafe-eval'";
+  
   # Include SSOWAT user panel.
   include conf.d/yunohost_panel.conf.inc;
   more_clear_input_headers 'Accept-Encoding';