From d435e0a5b0e07c145f929457313d8d7738f42b14 Mon Sep 17 00:00:00 2001
From: Dylan William Hardison <dylan@hardison.net>
Date: Wed, 21 Feb 2018 13:59:53 -0500
Subject: [PATCH] Bug 1439797 - Enable reporting-only CSP by default

---
 Bugzilla/CGI.pm                               | 16 +++++-----
 Bugzilla/CGI/ContentSecurityPolicy.pm         |  4 +--
 chart.cgi                                     |  1 +
 .../en/default/account/create.html.tmpl       |  2 +-
 .../bug/create/create-automative.html.tmpl    |  4 +--
 .../bug/create/create-creative.html.tmpl      |  2 +-
 .../bug/create/create-fsa-budget.html.tmpl    |  2 +-
 .../bug/create/create-mozlist.html.tmpl       |  2 +-
 .../default/bug/create/create-mozpr.html.tmpl |  6 ++--
 .../default/bug/create/create-swag.html.tmpl  |  2 +-
 .../create/create-user-engagement.html.tmpl   |  2 +-
 .../admin/products/edit-common-rows.html.tmpl |  2 +-
 .../hook/attachment/edit-view.html.tmpl       |  2 +-
 .../hook/bug/comments-a_comment-end.html.tmpl |  2 +-
 .../hook/bug/comments-aftercomments.html.tmpl |  2 +-
 .../bug/comments-comment_banner.html.tmpl     |  2 +-
 .../hook/bug/edit-after_importance.html.tmpl  |  2 +-
 .../hook/bug/edit-custom_field.html.tmpl      |  2 +-
 .../pages/attachment_bounty_form.html.tmpl    |  6 ++--
 .../pages/release_tracking_report.html.tmpl   |  2 +-
 .../en/default/pages/triage_reports.html.tmpl |  2 +-
 .../en/default/pages/user_activity.html.tmpl  |  2 +-
 .../account/prefs/bugmail_filter.html.tmpl    |  2 +-
 .../account/prefs/component_watch.html.tmpl   |  4 +--
 .../components/edit-common-rows.html.tmpl     |  2 +-
 .../en/default/pages/edit_table.html.tmpl     |  2 +-
 .../default/flag/default_requestees.html.tmpl |  2 +-
 .../en/default/flag/type_comment.html.tmpl    |  2 +-
 .../en/default/guided/guided.html.tmpl        |  4 +--
 .../hook/bug/comments-aftercomments.html.tmpl |  2 +-
 .../en/default/pages/mydashboard.html.tmpl    |  2 +-
 .../edit-after_comment_textarea.html.tmpl     |  2 +-
 .../en/default/pages/push_config.html.tmpl    |  4 +--
 .../bug/create/create-remo-budget.html.tmpl   |  4 +--
 .../bug/create/create-remo-it.html.tmpl       |  2 +-
 .../bug/create/create-remo-swag.html.tmpl     |  2 +-
 .../default/pages/remo-form-payment.html.tmpl |  2 +-
 .../hook/attachment/create-end.html.tmpl      |  2 +-
 .../hook/attachment/edit-end.html.tmpl        |  2 +-
 .../hook/bug/create/create-end.html.tmpl      |  2 +-
 .../hook/bug/edit-after_people.html.tmpl      |  2 +-
 .../hook/flag/list-requestee.html.tmpl        |  2 +-
 .../en/default/pages/review_history.html.tmpl |  2 +-
 .../hook/admin/users/userdata-end.html.tmpl   |  2 +-
 .../en/default/pages/splinter.html.tmpl       |  4 +--
 .../en/default/bug/tracking_flags.html.tmpl   |  4 +--
 .../hook/bug/create/create-form.html.tmpl     |  2 +-
 .../bug/edit-after_custom_fields.html.tmpl    |  2 +-
 .../default/hook/bug/field-editable.html.tmpl |  2 +-
 .../pages/tracking_flags_admin_edit.html.tmpl |  2 +-
 .../bug/comments-comment_banner.html.tmpl     |  4 +--
 .../create-after_custom_fields.html.tmpl      |  2 +-
 .../admin/products/edit-common-rows.html.tmpl |  2 +-
 report.cgi                                    |  2 ++
 static/metricsgraphics/socorro-lens.html      |  2 +-
 .../en/default/account/prefs/email.html.tmpl  |  2 +-
 .../account/prefs/saved-searches.html.tmpl    |  2 +-
 .../default/account/prefs/settings.html.tmpl  |  2 +-
 .../admin/custom_fields/create.html.tmpl      |  2 +-
 .../en/default/admin/params/common.html.tmpl  |  2 +-
 .../default/admin/workflow/comment.html.tmpl  |  2 +-
 .../en/default/admin/workflow/edit.html.tmpl  |  2 +-
 .../en/default/attachment/create.html.tmpl    |  2 +-
 .../attachment/createformcontents.html.tmpl   | 17 ++++++++---
 .../en/default/attachment/diff-file.html.tmpl |  2 +-
 template/en/default/attachment/edit.html.tmpl |  4 +--
 template/en/default/attachment/list.html.tmpl |  2 +-
 template/en/default/bug/comments.html.tmpl    |  8 ++---
 .../bug/create/create-guided.html.tmpl        |  4 +--
 .../en/default/bug/create/create.html.tmpl    |  8 ++---
 template/en/default/bug/edit.html.tmpl        | 12 ++++----
 template/en/default/bug/field.html.tmpl       | 12 ++++----
 template/en/default/bug/knob.html.tmpl        |  2 +-
 .../en/default/bug/summarize-time.html.tmpl   |  2 +-
 .../en/default/list/edit-multiple.html.tmpl   |  6 ++--
 template/en/default/list/quips.html.tmpl      |  2 +-
 template/en/default/mfa/duo/verify.html.tmpl  |  2 +-
 .../en/default/reports/create-chart.html.tmpl | 30 +++++++++++--------
 .../en/default/reports/keywords.html.tmpl     |  2 +-
 .../en/default/reports/report-table.html.tmpl |  2 +-
 .../default/reports/series-common.html.tmpl   |  2 +-
 template/en/default/reports/series.html.tmpl  | 23 +++++++++-----
 template/en/default/request/queue.html.tmpl   |  2 +-
 .../default/search/boolean-charts.html.tmpl   |  4 +--
 template/en/default/search/field.html.tmpl    |  4 +--
 template/en/default/search/form.html.tmpl     |  4 +--
 .../search/search-create-series.html.tmpl     |  2 +-
 .../default/search/search-instant.html.tmpl   |  2 +-
 .../search/search-report-graph.html.tmpl      |  2 +-
 89 files changed, 175 insertions(+), 152 deletions(-)

diff --git a/Bugzilla/CGI.pm b/Bugzilla/CGI.pm
index 35d6dd687f..513d8c3021 100644
--- a/Bugzilla/CGI.pm
+++ b/Bugzilla/CGI.pm
@@ -34,8 +34,9 @@ BEGIN {
 sub DEFAULT_CSP {
     my %policy = (
         default_src => [ 'self' ],
-        script_src  => [ 'self', 'unsafe-inline', 'unsafe-eval', 'https://www.google-analytics.com' ],
-        child_src   => [ 'self', ],
+        script_src  => [ 'self', 'nonce', 'unsafe-inline', 'https://www.google-analytics.com' ],
+        frame_src   => [ 'none', ],
+        worker_src  => [ 'none', ],
         img_src     => [ 'self', 'https://secure.gravatar.com', 'https://www.google-analytics.com' ],
         style_src   => [ 'self', 'unsafe-inline' ],
         object_src  => [ 'none' ],
@@ -45,7 +46,7 @@ sub DEFAULT_CSP {
             'https://www.google.com/search'
         ],
         frame_ancestors => [ 'none' ],
-        disable         => 1,
+        report_only     => 1,
     );
     if (Bugzilla->params->{github_client_id} && !Bugzilla->user->id) {
         push @{$policy{form_action}}, 'https://github.com/login/oauth/authorize', 'https://github.com/login';
@@ -68,11 +69,8 @@ sub SHOW_BUG_MODAL_CSP {
             # This is from extensions/OrangeFactor/web/js/orange_factor.js
             'https://brasstacks.mozilla.com/orangefactor/api/count',
         ],
-        child_src   => [
-            'self',
-            # This is for the socorro lens addon and is to be removed by Bug 1332016
-            'https://ashughes1.github.io/bugzilla-socorro-lens/chart.htm'
-        ],
+        frame_src   => [ 'none', ],
+        worker_src  => [ 'none', ],
     );
     if (use_attachbase() && $bug_id) {
         my $attach_base = Bugzilla->localconfig->{'attachment_base'};
@@ -194,7 +192,7 @@ sub content_security_policy {
         require Bugzilla::CGI::ContentSecurityPolicy;
         if (%add_params || !$self->{Bugzilla_csp}) {
             my %params = DEFAULT_CSP;
-            delete $params{disable} if %add_params && !$add_params{disable};
+            delete $params{report_only} if %add_params && !$add_params{report_only};
             foreach my $key (keys %add_params) {
                 if (defined $add_params{$key}) {
                     $params{$key} = $add_params{$key};
diff --git a/Bugzilla/CGI/ContentSecurityPolicy.pm b/Bugzilla/CGI/ContentSecurityPolicy.pm
index 88f2732bc3..50a399cdc1 100644
--- a/Bugzilla/CGI/ContentSecurityPolicy.pm
+++ b/Bugzilla/CGI/ContentSecurityPolicy.pm
@@ -34,10 +34,10 @@ my $REFERRER_KEYWORD = enum [qw(
 
 my @ALL_BOOL = qw( sandbox upgrade_insecure_requests );
 my @ALL_SRC = qw(
-    default_src child_src  connect_src
+    default_src worker_src  connect_src
     font_src    img_src    media_src
     object_src  script_src style_src
-    frame_ancestors form_action
+    frame_src frame_ancestors form_action
 );
 
 has \@ALL_SRC     => ( is => 'ro', isa => $SOURCE_LIST, predicate => 1 );
diff --git a/chart.cgi b/chart.cgi
index 26f21c389b..36357cb3c1 100755
--- a/chart.cgi
+++ b/chart.cgi
@@ -51,6 +51,7 @@ local our $cgi = Bugzilla->cgi;
 local our $template = Bugzilla->template;
 local our $vars = {};
 my $dbh = Bugzilla->dbh;
+$cgi->content_security_policy(report_only => 0);
 
 my $user = Bugzilla->login(LOGIN_REQUIRED);
 
diff --git a/extensions/BMO/template/en/default/account/create.html.tmpl b/extensions/BMO/template/en/default/account/create.html.tmpl
index d293031049..10d5fb5c17 100644
--- a/extensions/BMO/template/en/default/account/create.html.tmpl
+++ b/extensions/BMO/template/en/default/account/create.html.tmpl
@@ -38,7 +38,7 @@
    style_urls = [ 'extensions/BMO/web/styles/create_account.css' ]
 %]
 
-<script>
+<script [% script_nonce FILTER none %]>
 function onSubmit() {
   var email = document.getElementById('login').value;
   var agreed = document.getElementById('etiquette').checked;
diff --git a/extensions/BMO/template/en/default/bug/create/create-automative.html.tmpl b/extensions/BMO/template/en/default/bug/create/create-automative.html.tmpl
index a29f1f4f20..d1ed4b4b54 100644
--- a/extensions/BMO/template/en/default/bug/create/create-automative.html.tmpl
+++ b/extensions/BMO/template/en/default/bug/create/create-automative.html.tmpl
@@ -182,7 +182,7 @@ function validateAndSubmit() {
       <span>Calendar</span>
     </button>
     <div id="con_calendar_prototype_date"></div>
-    <script>
+    <script [% script_nonce FILTER none %]>
       createCalendar('prototype_date')
     </script>
   </div>
@@ -200,7 +200,7 @@ function validateAndSubmit() {
       <span>Calendar</span>
     </button>
     <div id="con_calendar_production_date"></div>
-    <script>
+    <script [% script_nonce FILTER none %]>
       createCalendar('production_date')
     </script>
   </div>
diff --git a/extensions/BMO/template/en/default/bug/create/create-creative.html.tmpl b/extensions/BMO/template/en/default/bug/create/create-creative.html.tmpl
index 13620d1c4f..eac24e53ec 100644
--- a/extensions/BMO/template/en/default/bug/create/create-creative.html.tmpl
+++ b/extensions/BMO/template/en/default/bug/create/create-creative.html.tmpl
@@ -209,7 +209,7 @@ function toggleTypeOther(element) {
     <span>Calendar</span>
   </button>
   <div id="con_calendar_launch_date"></div>
-  <script>
+  <script [% script_nonce FILTER none %]>
     createCalendar('launch_date')
   </script>
 </div>
diff --git a/extensions/BMO/template/en/default/bug/create/create-fsa-budget.html.tmpl b/extensions/BMO/template/en/default/bug/create/create-fsa-budget.html.tmpl
index 942b37afac..d97d95b2a6 100644
--- a/extensions/BMO/template/en/default/bug/create/create-fsa-budget.html.tmpl
+++ b/extensions/BMO/template/en/default/bug/create/create-fsa-budget.html.tmpl
@@ -139,7 +139,7 @@ function validateAndSubmit() {
     <span>Calendar</span>
   </button>
   <div id="con_calendar_cf_due_date"></div>
-  <script>
+  <script [% script_nonce FILTER none %]>
     createCalendar('cf_due_date')
   </script>
 </div>
diff --git a/extensions/BMO/template/en/default/bug/create/create-mozlist.html.tmpl b/extensions/BMO/template/en/default/bug/create/create-mozlist.html.tmpl
index ab03523ae6..8414770997 100644
--- a/extensions/BMO/template/en/default/bug/create/create-mozlist.html.tmpl
+++ b/extensions/BMO/template/en/default/bug/create/create-mozlist.html.tmpl
@@ -16,7 +16,7 @@
    style = ".mandatory{color:red;font-size:80%;}"
 %]
 
-<script>
+<script [% script_nonce FILTER none %]>
 <!--
     function trySubmit() {
         var alert_text = "";
diff --git a/extensions/BMO/template/en/default/bug/create/create-mozpr.html.tmpl b/extensions/BMO/template/en/default/bug/create/create-mozpr.html.tmpl
index 2d590fcfc1..d2b1c1f08d 100644
--- a/extensions/BMO/template/en/default/bug/create/create-mozpr.html.tmpl
+++ b/extensions/BMO/template/en/default/bug/create/create-mozpr.html.tmpl
@@ -327,7 +327,7 @@ function validate_form() {
     <span>Calendar</span>
   </button>
   <div id="con_calendar_start_date"></div>
-  <script>
+  <script [% script_nonce FILTER none %]>
     createCalendar('start_date')
   </script>
 </div>
@@ -341,7 +341,7 @@ function validate_form() {
     <span>Calendar</span>
   </button>
   <div id="con_calendar_announce_date"></div>
-  <script>
+  <script [% script_nonce FILTER none %]>
     createCalendar('announce_date')
   </script>
 </div>
@@ -355,7 +355,7 @@ function validate_form() {
     <span>Calendar</span>
   </button>
   <div id="con_calendar_cf_due_date"></div>
-  <script>
+  <script [% script_nonce FILTER none %]>
     createCalendar('cf_due_date')
   </script>
 </div>
diff --git a/extensions/BMO/template/en/default/bug/create/create-swag.html.tmpl b/extensions/BMO/template/en/default/bug/create/create-swag.html.tmpl
index 859d77194c..28b8045f61 100644
--- a/extensions/BMO/template/en/default/bug/create/create-swag.html.tmpl
+++ b/extensions/BMO/template/en/default/bug/create/create-swag.html.tmpl
@@ -810,7 +810,7 @@ function showGear() {
   We do this to help protect the personal identifying information in this [% terms.bugs %].
 </p>
 
-<script>
+<script [% script_nonce FILTER none %]>
   initFields();
   onPurposeChange();
   onAddGearChange();
diff --git a/extensions/BMO/template/en/default/bug/create/create-user-engagement.html.tmpl b/extensions/BMO/template/en/default/bug/create/create-user-engagement.html.tmpl
index 7df6247000..64af64a6b9 100644
--- a/extensions/BMO/template/en/default/bug/create/create-user-engagement.html.tmpl
+++ b/extensions/BMO/template/en/default/bug/create/create-user-engagement.html.tmpl
@@ -166,7 +166,7 @@ function toggleGoalOther() {
     <span>Calendar</span>
   </button>
   <div id="con_calendar_timing_date"></div>
-  <script>
+  <script [% script_nonce FILTER none %]>
     createCalendar('timing_date')
   </script>
 </div>
diff --git a/extensions/BMO/template/en/default/hook/admin/products/edit-common-rows.html.tmpl b/extensions/BMO/template/en/default/hook/admin/products/edit-common-rows.html.tmpl
index 5486684f1b..632ccb1e65 100644
--- a/extensions/BMO/template/en/default/hook/admin/products/edit-common-rows.html.tmpl
+++ b/extensions/BMO/template/en/default/hook/admin/products/edit-common-rows.html.tmpl
@@ -30,7 +30,7 @@
     <span id="security_group_warning" style="color:red; display:none;">
       This security group needs to be set to SHOWN/SHOWN
     </span>
-    <script>
+    <script [% script_nonce FILTER none %]>
       var toggleGroupWarning = function() {
         var correct_shown = $('#security_group_id option:selected').data('group-correct-visibility');
         if ($('#security_group_id').val() === '' || correct_shown) {
diff --git a/extensions/BMO/template/en/default/hook/attachment/edit-view.html.tmpl b/extensions/BMO/template/en/default/hook/attachment/edit-view.html.tmpl
index c66a023719..e28a142ae8 100644
--- a/extensions/BMO/template/en/default/hook/attachment/edit-view.html.tmpl
+++ b/extensions/BMO/template/en/default/hook/attachment/edit-view.html.tmpl
@@ -35,7 +35,7 @@
     [% attachment_data FILTER html %]
   </pre>
   [% IF user.id %]
-    <script>
+    <script [% script_nonce FILTER none %]>
     <!--
       var patchviewerinstalled = 0;
       document.write('<button type="button" id="editButton" onclick="editAsComment(patchviewerinstalled);">Edit Attachment As Comment<\/button>');
diff --git a/extensions/BMO/template/en/default/hook/bug/comments-a_comment-end.html.tmpl b/extensions/BMO/template/en/default/hook/bug/comments-a_comment-end.html.tmpl
index 3c47ca199c..d6dec42b98 100644
--- a/extensions/BMO/template/en/default/hook/bug/comments-a_comment-end.html.tmpl
+++ b/extensions/BMO/template/en/default/hook/bug/comments-a_comment-end.html.tmpl
@@ -10,7 +10,7 @@
       && (comment.author.login_name == 'tbplbot@gmail.com' || comment.author.login_name == 'orangefactor@bots.tld')
 %]
   [% has_tbpl_comment = 1 %]
-  <script>
+  <script [% script_nonce FILTER none %]>
     var id = [% count FILTER none %];
     tbpl_comment_ids.push(id);
     collapse_comment(
diff --git a/extensions/BMO/template/en/default/hook/bug/comments-aftercomments.html.tmpl b/extensions/BMO/template/en/default/hook/bug/comments-aftercomments.html.tmpl
index 65bf77967c..aa76de1222 100644
--- a/extensions/BMO/template/en/default/hook/bug/comments-aftercomments.html.tmpl
+++ b/extensions/BMO/template/en/default/hook/bug/comments-aftercomments.html.tmpl
@@ -11,7 +11,7 @@
   [% collapse_caption = 'Collapse TinderboxPushlog Comments' %]
   [% show_caption     = 'Show TinderboxPushlog Comments' %]
   [% hide_caption     = 'Hide TinderboxPushlog Comments' %]
-  <script>
+  <script [% script_nonce FILTER none %]>
     YAHOO.util.Event.onDOMReady(function () {
         var ul = document.getElementsByClassName('bz_collapse_expand_comments');
         if (ul.length == 0)
diff --git a/extensions/BMO/template/en/default/hook/bug/comments-comment_banner.html.tmpl b/extensions/BMO/template/en/default/hook/bug/comments-comment_banner.html.tmpl
index 135e1cd952..f490ad826b 100644
--- a/extensions/BMO/template/en/default/hook/bug/comments-comment_banner.html.tmpl
+++ b/extensions/BMO/template/en/default/hook/bug/comments-comment_banner.html.tmpl
@@ -10,6 +10,6 @@
 
 [%# Needed for collapsing TinderboxPushlog comments %]
 [% has_tbpl_comment = 0 %]
-<script>
+<script [% script_nonce FILTER none %]>
   var tbpl_comment_ids = new Array();
 </script>
diff --git a/extensions/BMO/template/en/default/hook/bug/edit-after_importance.html.tmpl b/extensions/BMO/template/en/default/hook/bug/edit-after_importance.html.tmpl
index 6e15e50d31..1dec71b8df 100644
--- a/extensions/BMO/template/en/default/hook/bug/edit-after_importance.html.tmpl
+++ b/extensions/BMO/template/en/default/hook/bug/edit-after_importance.html.tmpl
@@ -7,7 +7,7 @@
   #%]
 
 [%# Display product and component descriptions after their respective fields %]
-<script>
+<script [% script_nonce FILTER none %]>
   var Event = YAHOO.util.Event;
   var Dom = YAHOO.util.Dom;
   Event.onDOMReady(function() {
diff --git a/extensions/BMO/template/en/default/hook/bug/edit-custom_field.html.tmpl b/extensions/BMO/template/en/default/hook/bug/edit-custom_field.html.tmpl
index 31669f47fa..87b51c9240 100644
--- a/extensions/BMO/template/en/default/hook/bug/edit-custom_field.html.tmpl
+++ b/extensions/BMO/template/en/default/hook/bug/edit-custom_field.html.tmpl
@@ -45,7 +45,7 @@
             id = field.name name = field.name minrows = 4 maxrows = 8
             cols = 60 defaultcontent = value %]
       </div>
-      <script>
+      <script [% script_nonce FILTER none %]>
         hideEditableField('[% field.name FILTER js %]_edit_container',
                           '[% field.name FILTER js %]_input',
                           '[% field.name FILTER js %]_edit_action',
diff --git a/extensions/BMO/template/en/default/pages/attachment_bounty_form.html.tmpl b/extensions/BMO/template/en/default/pages/attachment_bounty_form.html.tmpl
index a538e93472..faf32aa368 100644
--- a/extensions/BMO/template/en/default/pages/attachment_bounty_form.html.tmpl
+++ b/extensions/BMO/template/en/default/pages/attachment_bounty_form.html.tmpl
@@ -162,7 +162,7 @@ function validateAndSubmit() {
       <span>Calendar</span>
     </button>
     <div id="con_calendar_reported_date"></div>
-    <script>
+    <script [% script_nonce FILTER none %]>
       createCalendar('reported_date')
     </script>
   </div>
@@ -177,7 +177,7 @@ function validateAndSubmit() {
       <span>Calendar</span>
     </button>
     <div id="con_calendar_fixed_date"></div>
-    <script>
+    <script [% script_nonce FILTER none %]>
       createCalendar('fixed_date')
     </script>
   </div>
@@ -192,7 +192,7 @@ function validateAndSubmit() {
       <span>Calendar</span>
     </button>
     <div id="con_calendar_awarded_date"></div>
-    <script>
+    <script [% script_nonce FILTER none %]>
       createCalendar('awarded_date')
     </script>
   </div>
diff --git a/extensions/BMO/template/en/default/pages/release_tracking_report.html.tmpl b/extensions/BMO/template/en/default/pages/release_tracking_report.html.tmpl
index 79587205c1..8ee3d0d593 100644
--- a/extensions/BMO/template/en/default/pages/release_tracking_report.html.tmpl
+++ b/extensions/BMO/template/en/default/pages/release_tracking_report.html.tmpl
@@ -18,7 +18,7 @@
 <h1>JavaScript is required to use this report.</h1>
 </noscript>
 
-<script>
+<script [% script_nonce FILTER none %]>
 var flags_data = $.parseJSON("[% flags_json FILTER js %]");
 var products_data = $.parseJSON("[% products_json FILTER js %]");
 var fields_data = $.parseJSON("[% fields_json FILTER js %]");
diff --git a/extensions/BMO/template/en/default/pages/triage_reports.html.tmpl b/extensions/BMO/template/en/default/pages/triage_reports.html.tmpl
index 05efefca5d..13904f61b7 100644
--- a/extensions/BMO/template/en/default/pages/triage_reports.html.tmpl
+++ b/extensions/BMO/template/en/default/pages/triage_reports.html.tmpl
@@ -137,7 +137,7 @@ Show UNCONFIRMED [% terms.bugs %] with:
 </table>
 
 </form>
-<script>
+<script [% script_nonce FILTER none %]>
   createCalendar('last_is');
 </script>
 
diff --git a/extensions/BMO/template/en/default/pages/user_activity.html.tmpl b/extensions/BMO/template/en/default/pages/user_activity.html.tmpl
index 33aa27e3d7..075c8edf91 100644
--- a/extensions/BMO/template/en/default/pages/user_activity.html.tmpl
+++ b/extensions/BMO/template/en/default/pages/user_activity.html.tmpl
@@ -83,7 +83,7 @@
 [% END %]
 </form>
 
-<script>
+<script [% script_nonce FILTER none %]>
   createCalendar('from');
   createCalendar('to');
 </script>
diff --git a/extensions/BugmailFilter/template/en/default/account/prefs/bugmail_filter.html.tmpl b/extensions/BugmailFilter/template/en/default/account/prefs/bugmail_filter.html.tmpl
index 32cb55ea15..bb1381c46e 100644
--- a/extensions/BugmailFilter/template/en/default/account/prefs/bugmail_filter.html.tmpl
+++ b/extensions/BugmailFilter/template/en/default/account/prefs/bugmail_filter.html.tmpl
@@ -14,7 +14,7 @@
 [% SET selectable_products = user.get_selectable_products %]
 [% SET dont_show_button = 1 %]
 
-<script>
+<script [% script_nonce FILTER none %]>
 var useclassification = false;
 var first_load = true;
 var last_sel = [];
diff --git a/extensions/ComponentWatching/template/en/default/account/prefs/component_watch.html.tmpl b/extensions/ComponentWatching/template/en/default/account/prefs/component_watch.html.tmpl
index b70a46b35d..2a2ab6bc5c 100644
--- a/extensions/ComponentWatching/template/en/default/account/prefs/component_watch.html.tmpl
+++ b/extensions/ComponentWatching/template/en/default/account/prefs/component_watch.html.tmpl
@@ -23,7 +23,7 @@
 }
 </style>
 
-<script>
+<script [% script_nonce FILTER none %]>
 var Dom = YAHOO.util.Dom;
 var useclassification = false;
 var first_load = true;
@@ -47,7 +47,7 @@ var watch_users = new Array();
 <script src="[% 'js/productform.js' FILTER version FILTER html %]">
 </script>
 
-<script>
+<script [% script_nonce FILTER none %]>
 function onSelectProduct() {
   var component = Dom.get('component');
   selectProduct(Dom.get('product'), component);
diff --git a/extensions/ComponentWatching/template/en/default/hook/admin/components/edit-common-rows.html.tmpl b/extensions/ComponentWatching/template/en/default/hook/admin/components/edit-common-rows.html.tmpl
index e6a04f092e..940fc2d115 100644
--- a/extensions/ComponentWatching/template/en/default/hook/admin/components/edit-common-rows.html.tmpl
+++ b/extensions/ComponentWatching/template/en/default/hook/admin/components/edit-common-rows.html.tmpl
@@ -27,7 +27,7 @@
   </td>
 </tr>
 
-<script>
+<script [% script_nonce FILTER none %]>
 function sanitise_name(name) {
   return name.toLowerCase()
              .replace(/[^a-z0-9_]/g, '-')
diff --git a/extensions/EditTable/template/en/default/pages/edit_table.html.tmpl b/extensions/EditTable/template/en/default/pages/edit_table.html.tmpl
index 98a8f41842..8d8b125053 100644
--- a/extensions/EditTable/template/en/default/pages/edit_table.html.tmpl
+++ b/extensions/EditTable/template/en/default/pages/edit_table.html.tmpl
@@ -35,7 +35,7 @@
 <input type="submit" value="Commit Changes" id="commit_btn" class="bz_default_hidden">
 </form>
 
-<script>
+<script [% script_nonce FILTER none %]>
   var table_data_str = "[% table_data FILTER js %]";
   var table_data = $.parseJSON(table_data_str);
   var editTable = new EditTable('edit_table', table_data);
diff --git a/extensions/FlagDefaultRequestee/template/en/default/flag/default_requestees.html.tmpl b/extensions/FlagDefaultRequestee/template/en/default/flag/default_requestees.html.tmpl
index 08f90b8d45..0cb5f2ff16 100644
--- a/extensions/FlagDefaultRequestee/template/en/default/flag/default_requestees.html.tmpl
+++ b/extensions/FlagDefaultRequestee/template/en/default/flag/default_requestees.html.tmpl
@@ -7,7 +7,7 @@
   #%]
 
 [% IF flag_default_requestees.keys.size %]
-  <script>
+  <script [% script_nonce FILTER none %]>
   var currently_requested = new Array();
   var default_requestees = new Array();
   [% FOREACH id = flag_currently_requested.keys %]
diff --git a/extensions/FlagTypeComment/template/en/default/flag/type_comment.html.tmpl b/extensions/FlagTypeComment/template/en/default/flag/type_comment.html.tmpl
index 7cadbdca5d..88d9d4dd78 100644
--- a/extensions/FlagTypeComment/template/en/default/flag/type_comment.html.tmpl
+++ b/extensions/FlagTypeComment/template/en/default/flag/type_comment.html.tmpl
@@ -21,7 +21,7 @@
   #%]
 
 [% IF ftc_flags.keys.size %]
-  <script>
+  <script [% script_nonce FILTER none %]>
   YAHOO.util.Event.onDOMReady(function() {
     var selects = YAHOO.util.Dom.getElementsByClassName('flag_select');
     for (var i = 0; i < selects.length; i++) {
diff --git a/extensions/GuidedBugEntry/template/en/default/guided/guided.html.tmpl b/extensions/GuidedBugEntry/template/en/default/guided/guided.html.tmpl
index b9cfa6fbf4..20192841f5 100644
--- a/extensions/GuidedBugEntry/template/en/default/guided/guided.html.tmpl
+++ b/extensions/GuidedBugEntry/template/en/default/guided/guided.html.tmpl
@@ -32,7 +32,7 @@ Please use the <a href="enter_bug.cgi?format=__default__">advanced [% terms.bug
 <div id="loading" class="hidden">
 Please wait...
 </div>
-<script>
+<script [% script_nonce FILTER none %]>
 YAHOO.util.Dom.removeClass('loading', 'hidden');
 </script>
 
@@ -50,7 +50,7 @@ YAHOO.util.Dom.removeClass('loading', 'hidden');
   <a id="advanced_link" href="enter_bug.cgi?format=__default__">Switch to the advanced [% terms.bug %] entry form</a>
 </div>
 
-<script>
+<script [% script_nonce FILTER none %]>
 YAHOO.util.Dom.addClass('loading', 'hidden');
 guided.init({ webdev: [% webdev ? "true" : "false" %] });
 guided.currentUser = '[% user.login FILTER js %]';
diff --git a/extensions/InlineHistory/template/en/default/hook/bug/comments-aftercomments.html.tmpl b/extensions/InlineHistory/template/en/default/hook/bug/comments-aftercomments.html.tmpl
index c224a4e45f..d0a3abb5b6 100644
--- a/extensions/InlineHistory/template/en/default/hook/bug/comments-aftercomments.html.tmpl
+++ b/extensions/InlineHistory/template/en/default/hook/bug/comments-aftercomments.html.tmpl
@@ -10,7 +10,7 @@
 [%# this div exists to allow bugzilla-tweaks to detect when we're active %]
 <div id="inline-history-ext"></div>
 
-<script>
+<script [% script_nonce FILTER none %]>
   var ih_activity = new Array();
   var ih_activity_flags = new Array();
   var ih_activity_sort_order = '[% user.settings.comment_sort_order.value FILTER js %]';
diff --git a/extensions/MyDashboard/template/en/default/pages/mydashboard.html.tmpl b/extensions/MyDashboard/template/en/default/pages/mydashboard.html.tmpl
index e07edbc83e..7956fcfae1 100644
--- a/extensions/MyDashboard/template/en/default/pages/mydashboard.html.tmpl
+++ b/extensions/MyDashboard/template/en/default/pages/mydashboard.html.tmpl
@@ -74,7 +74,7 @@
   </div>
 </script>
 
-<script>
+<script [% script_nonce FILTER none %]>
   [% IF Param('splinter_base') %]
     MyDashboard.splinter_base = '[% Bugzilla.splinter_review_base FILTER js %]';
   [% END %]
diff --git a/extensions/Needinfo/template/en/default/hook/attachment/edit-after_comment_textarea.html.tmpl b/extensions/Needinfo/template/en/default/hook/attachment/edit-after_comment_textarea.html.tmpl
index 22ee41af68..9ed394fbb1 100644
--- a/extensions/Needinfo/template/en/default/hook/attachment/edit-after_comment_textarea.html.tmpl
+++ b/extensions/Needinfo/template/en/default/hook/attachment/edit-after_comment_textarea.html.tmpl
@@ -9,7 +9,7 @@
 [% PROCESS bug/needinfo.html.tmpl
    bug => attachment.bug
 %]
-<script>
+<script [% script_nonce FILTER none %]>
   document.getElementById('editButton').addEventListener('click', function() {
     document.getElementById('attachment_view_window')
       .appendChild(document.getElementById('needinfo_container'));
diff --git a/extensions/Push/template/en/default/pages/push_config.html.tmpl b/extensions/Push/template/en/default/pages/push_config.html.tmpl
index 3783ecad66..dd5507bbc4 100644
--- a/extensions/Push/template/en/default/pages/push_config.html.tmpl
+++ b/extensions/Push/template/en/default/pages/push_config.html.tmpl
@@ -12,7 +12,7 @@
   style_urls = [ 'extensions/Push/web/admin.css' ]
 %]
 
-<script>
+<script [% script_nonce FILTER none %]>
 var push_defaults = new Array();
 [% FOREACH option = push.config.options %]
   [% IF option.name != 'enabled' && option.default != '' %]
@@ -127,7 +127,7 @@ var push_defaults = new Array();
     </tr>
   [% END %]
   [% IF name != 'global' %]
-    <script>
+    <script [% script_nonce FILTER none %]>
       var is_enabled = document.getElementById('[% name FILTER js %]_enabled').value == 'Enabled';
       toggle_options(is_enabled, '[% name FILTER js %]');
     </script>
diff --git a/extensions/REMO/template/en/default/bug/create/create-remo-budget.html.tmpl b/extensions/REMO/template/en/default/bug/create/create-remo-budget.html.tmpl
index 62f45d5683..5c19ac7581 100644
--- a/extensions/REMO/template/en/default/bug/create/create-remo-budget.html.tmpl
+++ b/extensions/REMO/template/en/default/bug/create/create-remo-budget.html.tmpl
@@ -23,7 +23,7 @@
 any persons designated in the CC line, and authorized members of the Mozilla
 Rep team.</p>
 
-<script>
+<script [% script_nonce FILTER none %]>
 function trySubmit() {
   var firstname = document.getElementById('firstname').value;
   var lastname = document.getElementById('lastname').value;
@@ -135,7 +135,7 @@ function validateAndSubmit() {
       <span>Calendar</span>
     </button>
     <div id="con_calendar_cf_due_date"></div>
-    <script>
+    <script [% script_nonce FILTER none %]>
       createCalendar('cf_due_date')
     </script>
   </td>
diff --git a/extensions/REMO/template/en/default/bug/create/create-remo-it.html.tmpl b/extensions/REMO/template/en/default/bug/create/create-remo-it.html.tmpl
index 10f65de398..af3db60bcc 100644
--- a/extensions/REMO/template/en/default/bug/create/create-remo-it.html.tmpl
+++ b/extensions/REMO/template/en/default/bug/create/create-remo-it.html.tmpl
@@ -17,7 +17,7 @@
 [% USE Bugzilla %]
 [% mandatory = '<span class="mandatory" title="Required">*</span>' %]
 
-<script>
+<script [% script_nonce FILTER none %]>
 var Dom = YAHOO.util.Dom;
 
 function mandatory(elements) {
diff --git a/extensions/REMO/template/en/default/bug/create/create-remo-swag.html.tmpl b/extensions/REMO/template/en/default/bug/create/create-remo-swag.html.tmpl
index bc7c0d146e..18b5a6c386 100644
--- a/extensions/REMO/template/en/default/bug/create/create-remo-swag.html.tmpl
+++ b/extensions/REMO/template/en/default/bug/create/create-remo-swag.html.tmpl
@@ -27,7 +27,7 @@
 <p>These requests will only be visible to the person who submitted the request,
 any persons designated in the CC line, and authorized members of the Mozilla Rep team.</p>
 
-<script>
+<script [% script_nonce FILTER none %]>
 function trySubmit() {
   var eventname = document.getElementById('eventname').value;
   var shortdesc = 'Swag Request - ' + eventname;
diff --git a/extensions/REMO/template/en/default/pages/remo-form-payment.html.tmpl b/extensions/REMO/template/en/default/pages/remo-form-payment.html.tmpl
index 4b4f237c25..1e1889089f 100644
--- a/extensions/REMO/template/en/default/pages/remo-form-payment.html.tmpl
+++ b/extensions/REMO/template/en/default/pages/remo-form-payment.html.tmpl
@@ -30,7 +30,7 @@
                        'js/field.js' ]
 %]
 
-<script></script>
+<script [% script_nonce FILTER none %]></script>
 
 <h1>Mozilla Reps - Payment Form</h1>
 
diff --git a/extensions/Review/template/en/default/hook/attachment/create-end.html.tmpl b/extensions/Review/template/en/default/hook/attachment/create-end.html.tmpl
index 22d95d694c..ed5ae7b36e 100644
--- a/extensions/Review/template/en/default/hook/attachment/create-end.html.tmpl
+++ b/extensions/Review/template/en/default/hook/attachment/create-end.html.tmpl
@@ -10,7 +10,7 @@
   [% bug = attachment.bug %]
 [% END %]
 
-<script>
+<script [% script_nonce FILTER none %]>
   $(function() {
     [% IF bug.product_obj.reviewer_required %]
       REVIEW.init_mandatory();
diff --git a/extensions/Review/template/en/default/hook/attachment/edit-end.html.tmpl b/extensions/Review/template/en/default/hook/attachment/edit-end.html.tmpl
index be866ae4bb..5e7629eac2 100644
--- a/extensions/Review/template/en/default/hook/attachment/edit-end.html.tmpl
+++ b/extensions/Review/template/en/default/hook/attachment/edit-end.html.tmpl
@@ -7,7 +7,7 @@
   #%]
 
 [% IF attachment.bug.product_obj.reviewer_required %]
-<script>
+<script [% script_nonce FILTER none %]>
 $(function() {
   REVIEW.init_mandatory();
 });
diff --git a/extensions/Review/template/en/default/hook/bug/create/create-end.html.tmpl b/extensions/Review/template/en/default/hook/bug/create/create-end.html.tmpl
index c2c574bd94..04ec1b13b7 100644
--- a/extensions/Review/template/en/default/hook/bug/create/create-end.html.tmpl
+++ b/extensions/Review/template/en/default/hook/bug/create/create-end.html.tmpl
@@ -6,7 +6,7 @@
   # defined by the Mozilla Public License, v. 2.0.
   #%]
 
-<script>
+<script [% script_nonce FILTER none %]>
   $(function() {
     [% IF product.reviewer_required %]
       REVIEW.init_mandatory();
diff --git a/extensions/Review/template/en/default/hook/bug/edit-after_people.html.tmpl b/extensions/Review/template/en/default/hook/bug/edit-after_people.html.tmpl
index b2f375b888..2392f5f6a3 100644
--- a/extensions/Review/template/en/default/hook/bug/edit-after_people.html.tmpl
+++ b/extensions/Review/template/en/default/hook/bug/edit-after_people.html.tmpl
@@ -36,7 +36,7 @@
          %]
         <br>
       </div>
-      <script>
+      <script [% script_nonce FILTER none %]>
         hideEditableField('bz_bug_mentors_edit_container',
                           'bz_bug_mentors_input',
                           'bz_bug_mentors_edit_action',
diff --git a/extensions/Review/template/en/default/hook/flag/list-requestee.html.tmpl b/extensions/Review/template/en/default/hook/flag/list-requestee.html.tmpl
index 2c06f49501..771bc803c3 100644
--- a/extensions/Review/template/en/default/hook/flag/list-requestee.html.tmpl
+++ b/extensions/Review/template/en/default/hook/flag/list-requestee.html.tmpl
@@ -12,6 +12,6 @@
   &nbsp;&nbsp;<a href="#" id="[% fid FILTER none %]_suggestions_link">suggested reviewers &#9662;</a>
 </span>
 
-<script>
+<script [% script_nonce FILTER none %]>
   REVIEW.init_review_flag('[% fid FILTER none %]', '[% flag_name FILTER none %]');
 </script>
diff --git a/extensions/Review/template/en/default/pages/review_history.html.tmpl b/extensions/Review/template/en/default/pages/review_history.html.tmpl
index d80ed5e0ad..c8263bc520 100644
--- a/extensions/Review/template/en/default/pages/review_history.html.tmpl
+++ b/extensions/Review/template/en/default/pages/review_history.html.tmpl
@@ -19,7 +19,7 @@
             'js/field.js' ]
 %]
 
-<script>
+<script [% script_nonce FILTER none %]>
   $(function () {
     YUI({
       base: 'js/yui3/',
diff --git a/extensions/SecureMail/template/en/default/hook/admin/users/userdata-end.html.tmpl b/extensions/SecureMail/template/en/default/hook/admin/users/userdata-end.html.tmpl
index 1b65e71a88..a90266dae6 100644
--- a/extensions/SecureMail/template/en/default/hook/admin/users/userdata-end.html.tmpl
+++ b/extensions/SecureMail/template/en/default/hook/admin/users/userdata-end.html.tmpl
@@ -31,7 +31,7 @@
   </td>
 </tr>
 
-<script>
+<script [% script_nonce FILTER none %]>
 $(function() {
     'use strict';
     var securemail_groups = [];
diff --git a/extensions/Splinter/template/en/default/pages/splinter.html.tmpl b/extensions/Splinter/template/en/default/pages/splinter.html.tmpl
index 9e59f15203..b5cab5c592 100644
--- a/extensions/Splinter/template/en/default/pages/splinter.html.tmpl
+++ b/extensions/Splinter/template/en/default/pages/splinter.html.tmpl
@@ -37,7 +37,7 @@
 
 [% can_edit = 0 %]
 
-<script>
+<script [% script_nonce FILTER none %]>
   Splinter.configBase = '[% Bugzilla.splinter_review_base FILTER js %]';
   Splinter.configBugUrl = '[% urlbase FILTER js %]';
   Splinter.configHaveExtension = true;
@@ -229,7 +229,7 @@
                                              any_flags_requesteeble = any_flags_requesteeble
             %]
           [% END %]
-          <script>
+          <script [% script_nonce FILTER none %]>
             [% FOREACH flag_type = flag_types %]
               [% NEXT UNLESS flag_type.is_active %]
               Event.addListener('flag_type-[% flag_type.id FILTER js %]', 'change',
diff --git a/extensions/TrackingFlags/template/en/default/bug/tracking_flags.html.tmpl b/extensions/TrackingFlags/template/en/default/bug/tracking_flags.html.tmpl
index 962271254a..3fbb622de7 100644
--- a/extensions/TrackingFlags/template/en/default/bug/tracking_flags.html.tmpl
+++ b/extensions/TrackingFlags/template/en/default/bug/tracking_flags.html.tmpl
@@ -32,7 +32,7 @@
               [% value.name FILTER html %]</option>
           [% END %]
         </select>
-        <script>
+        <script [% script_nonce FILTER none %]>
           initHidingOptionsForIE('[% flag.name FILTER js %]');
         </script>
         [% IF !new_bug && user.id %]
@@ -47,7 +47,7 @@
   </tr>
 [% END %]
 
-<script>
+<script [% script_nonce FILTER none %]>
   var tracking_flags_str = "[% tracking_flags_json FILTER js %]";
   TrackingFlags = $.parseJSON(tracking_flags_str);
 </script>
diff --git a/extensions/TrackingFlags/template/en/default/hook/bug/create/create-form.html.tmpl b/extensions/TrackingFlags/template/en/default/hook/bug/create/create-form.html.tmpl
index 4bb9e1eab5..005cc80625 100644
--- a/extensions/TrackingFlags/template/en/default/hook/bug/create/create-form.html.tmpl
+++ b/extensions/TrackingFlags/template/en/default/hook/bug/create/create-form.html.tmpl
@@ -28,7 +28,7 @@
   END;
 %]
 
-<script>
+<script [% script_nonce FILTER none %]>
   $(function() {
     var tracking_flag_components_str = "[% tracking_flag_components FILTER js %]";
     var tracking_flag_components = $.parseJSON(tracking_flag_components_str);
diff --git a/extensions/TrackingFlags/template/en/default/hook/bug/edit-after_custom_fields.html.tmpl b/extensions/TrackingFlags/template/en/default/hook/bug/edit-after_custom_fields.html.tmpl
index 1571fc4f92..1fccf69494 100644
--- a/extensions/TrackingFlags/template/en/default/hook/bug/edit-after_custom_fields.html.tmpl
+++ b/extensions/TrackingFlags/template/en/default/hook/bug/edit-after_custom_fields.html.tmpl
@@ -40,7 +40,7 @@
   [% END %]
 [% END %]
 
-<script>
+<script [% script_nonce FILTER none %]>
   var tracking_flags_str = "[% tracking_flags_json FILTER js %]";
   var TrackingFlags = $.parseJSON(tracking_flags_str);
   hide_tracking_flags();
diff --git a/extensions/TrackingFlags/template/en/default/hook/bug/field-editable.html.tmpl b/extensions/TrackingFlags/template/en/default/hook/bug/field-editable.html.tmpl
index fb09b0ac1e..91f89ea734 100644
--- a/extensions/TrackingFlags/template/en/default/hook/bug/field-editable.html.tmpl
+++ b/extensions/TrackingFlags/template/en/default/hook/bug/field-editable.html.tmpl
@@ -29,7 +29,7 @@
     </option>
   [% END %]
 </select>
-<script>
+<script [% script_nonce FILTER none %]>
 <!--
   initHidingOptionsForIE('[% field.name FILTER js %]');
   [%+ INCLUDE "bug/field-events.js.tmpl"
diff --git a/extensions/TrackingFlags/template/en/default/pages/tracking_flags_admin_edit.html.tmpl b/extensions/TrackingFlags/template/en/default/pages/tracking_flags_admin_edit.html.tmpl
index e381c4f1c7..e1263a308a 100644
--- a/extensions/TrackingFlags/template/en/default/pages/tracking_flags_admin_edit.html.tmpl
+++ b/extensions/TrackingFlags/template/en/default/pages/tracking_flags_admin_edit.html.tmpl
@@ -29,7 +29,7 @@ var selected_components = [
   style_urls = [ 'extensions/TrackingFlags/web/styles/admin.css' ]
 %]
 
-<script>
+<script [% script_nonce FILTER none %]>
   var groups_str = "[% groups || '[]' FILTER js %]";
   var groups = $.parseJSON(groups_str);
   var flag_values_str = "[% values || '[]' FILTER js %]";
diff --git a/extensions/UserStory/template/en/default/hook/bug/comments-comment_banner.html.tmpl b/extensions/UserStory/template/en/default/hook/bug/comments-comment_banner.html.tmpl
index c6a16f7d08..e063ac9420 100644
--- a/extensions/UserStory/template/en/default/hook/bug/comments-comment_banner.html.tmpl
+++ b/extensions/UserStory/template/en/default/hook/bug/comments-comment_banner.html.tmpl
@@ -11,7 +11,7 @@
 [% can_edit_story = bug.check_can_change_field('cf_user_story', 0, 1) %]
 
 <div class="user_story">
-  <script>
+  <script [% script_nonce FILTER none %]>
     function userStoryComment() {
         var commenttext = "(Commenting on User Story)\n";
         var text_elem = document.getElementById('user_story');
@@ -61,7 +61,7 @@
                 cols    = constants.COMMENT_COLS
                 defaultcontent = bug.cf_user_story %]
     </div>
-    <script>
+    <script [% script_nonce FILTER none %]>
       YAHOO.util.Event.addListener('user_story_edit_action', 'click', function() {
         YAHOO.util.Dom.addClass('user_story_edit', 'bz_default_hidden');
         YAHOO.util.Dom.addClass('user_story_readonly', 'bz_default_hidden');
diff --git a/extensions/UserStory/template/en/default/hook/bug/create/create-after_custom_fields.html.tmpl b/extensions/UserStory/template/en/default/hook/bug/create/create-after_custom_fields.html.tmpl
index 77734408a2..6079ec616a 100644
--- a/extensions/UserStory/template/en/default/hook/bug/create/create-after_custom_fields.html.tmpl
+++ b/extensions/UserStory/template/en/default/hook/bug/create/create-after_custom_fields.html.tmpl
@@ -32,7 +32,7 @@
             defaultcontent = user_story_default
         %]
       </div>
-      <script>
+      <script [% script_nonce FILTER none %]>
         var user_story_exclude_components = [];
         [% FOREACH c = default.user_story_visible.1 %]
           user_story_exclude_components.push('[% c FILTER js %]');
diff --git a/extensions/Voting/template/en/default/hook/admin/products/edit-common-rows.html.tmpl b/extensions/Voting/template/en/default/hook/admin/products/edit-common-rows.html.tmpl
index e5a29ba565..fde6434deb 100644
--- a/extensions/Voting/template/en/default/hook/admin/products/edit-common-rows.html.tmpl
+++ b/extensions/Voting/template/en/default/hook/admin/products/edit-common-rows.html.tmpl
@@ -50,7 +50,7 @@
            value="[% product.votestoconfirm FILTER html %]">
     <br>(Setting this to 0 disables auto-confirming [% terms.bugs %]
     by vote.)
-    <script>
+    <script [% script_nonce FILTER none %]>
         YAHOO.util.Event.addListener('allows_unconfirmed', 'change',
             function() { bz_toggleClass('votes_to_confirm_container',
                                         'bz_default_hidden'); });
diff --git a/report.cgi b/report.cgi
index b9f398cae4..7ec2bb04f3 100755
--- a/report.cgi
+++ b/report.cgi
@@ -25,6 +25,8 @@ my $cgi = Bugzilla->cgi;
 my $template = Bugzilla->template;
 my $vars = {};
 
+$cgi->content_security_policy(report_only => 0);
+
 # Go straight back to query.cgi if we are adding a boolean chart.
 if (grep(/^cmd-/, $cgi->param())) {
     my $params = $cgi->canonicalise_query("format", "ctype");
diff --git a/static/metricsgraphics/socorro-lens.html b/static/metricsgraphics/socorro-lens.html
index 786394228c..9af0613237 100644
--- a/static/metricsgraphics/socorro-lens.html
+++ b/static/metricsgraphics/socorro-lens.html
@@ -37,7 +37,7 @@
     </div>
     <div style="width:300px; height:75px; color:red; text-align:center; visibility:hidden;" id='warn'></div>
     <script src='js/main.js'></script>
-    <script>
+    <script [% script_nonce FILTER none %]>
       document.addEventListener('DOMContentLoaded', function () {
         document.querySelector('select[name="channel"]').onchange = channelEventHandler;
         document.querySelector('select[name="match"]').onchange = matchEventHandler;
diff --git a/template/en/default/account/prefs/email.html.tmpl b/template/en/default/account/prefs/email.html.tmpl
index d09bffc5d1..014bf4f3d9 100644
--- a/template/en/default/account/prefs/email.html.tmpl
+++ b/template/en/default/account/prefs/email.html.tmpl
@@ -41,7 +41,7 @@
   filter some or all notifications.
 </p>
 
-<script>
+<script [% script_nonce FILTER none %]>
 <!--
 function SetCheckboxes(setting) {
   for (var count = 0; count < document.userprefsform.elements.length; count++) {
diff --git a/template/en/default/account/prefs/saved-searches.html.tmpl b/template/en/default/account/prefs/saved-searches.html.tmpl
index 58448eb5e7..426b593dca 100644
--- a/template/en/default/account/prefs/saved-searches.html.tmpl
+++ b/template/en/default/account/prefs/saved-searches.html.tmpl
@@ -25,7 +25,7 @@
   #%]
 
 [% IF user.can_bless %]
-  <script><!--
+  <script [% script_nonce FILTER none %]><!--
     function update_checkbox(group) {
       var bless_groups = [[% bless_group_ids.join(",") FILTER js %]];
       var checkbox = document.getElementById(group.name.replace(/share_(\d+)/, "force_$1"));
diff --git a/template/en/default/account/prefs/settings.html.tmpl b/template/en/default/account/prefs/settings.html.tmpl
index b09d7a4912..c7208ff295 100644
--- a/template/en/default/account/prefs/settings.html.tmpl
+++ b/template/en/default/account/prefs/settings.html.tmpl
@@ -80,7 +80,7 @@
   </table>
 [% END %]
 
-<script>
+<script [% script_nonce FILTER none %]>
 $().ready(function() {
   var id = document.location.hash.substring(1) + '_row';
   $('#' + id).addClass('highlighted');
diff --git a/template/en/default/admin/custom_fields/create.html.tmpl b/template/en/default/admin/custom_fields/create.html.tmpl
index 41852de031..2b3f0eadb9 100644
--- a/template/en/default/admin/custom_fields/create.html.tmpl
+++ b/template/en/default/admin/custom_fields/create.html.tmpl
@@ -32,7 +32,7 @@
 %]
 
 [%# set initial editability of fields such as Reverse Relationship Description %]
-<script>
+<script [% script_nonce FILTER none %]>
 YAHOO.util.Event.onDOMReady(function() {onChangeType(document.getElementById('type'))});
 </script>
 
diff --git a/template/en/default/admin/params/common.html.tmpl b/template/en/default/admin/params/common.html.tmpl
index 4941afa38b..cd135e1d29 100644
--- a/template/en/default/admin/params/common.html.tmpl
+++ b/template/en/default/admin/params/common.html.tmpl
@@ -111,7 +111,7 @@
           </tr>
         </table>
 
-        <script>
+        <script [% script_nonce FILTER none %]>
             bz_toggleClass("input_[% param.name FILTER html %]", "bz_default_hidden");
             bz_toggleClass("table_[% param.name FILTER html %]", "bz_default_hidden");
         </script>
diff --git a/template/en/default/admin/workflow/comment.html.tmpl b/template/en/default/admin/workflow/comment.html.tmpl
index 9b447f777e..8f64c77a62 100644
--- a/template/en/default/admin/workflow/comment.html.tmpl
+++ b/template/en/default/admin/workflow/comment.html.tmpl
@@ -21,7 +21,7 @@
    style_urls = ['skins/standard/admin.css']
 %]
 
-<script>
+<script [% script_nonce FILTER none %]>
 <!--
   function toggle_cell(cell) {
     if (cell.checked)
diff --git a/template/en/default/admin/workflow/edit.html.tmpl b/template/en/default/admin/workflow/edit.html.tmpl
index 5646c294d6..97bbec7960 100644
--- a/template/en/default/admin/workflow/edit.html.tmpl
+++ b/template/en/default/admin/workflow/edit.html.tmpl
@@ -21,7 +21,7 @@
    style_urls = ['skins/standard/admin.css']
 %]
 
-<script>
+<script [% script_nonce FILTER none %]>
 <!--
   function toggle_cell(cell) {
     if (cell.checked)
diff --git a/template/en/default/attachment/create.html.tmpl b/template/en/default/attachment/create.html.tmpl
index e058b3defd..329e0ab498 100644
--- a/template/en/default/attachment/create.html.tmpl
+++ b/template/en/default/attachment/create.html.tmpl
@@ -39,7 +39,7 @@
   doc_section = "attachments.html"
 %]
 
-<script>
+<script [% script_nonce FILTER none %]>
 <!--
 TUI_hide_default('attachment_text_field');
 -->
diff --git a/template/en/default/attachment/createformcontents.html.tmpl b/template/en/default/attachment/createformcontents.html.tmpl
index dc861b7a69..41a02a913c 100644
--- a/template/en/default/attachment/createformcontents.html.tmpl
+++ b/template/en/default/attachment/createformcontents.html.tmpl
@@ -21,13 +21,22 @@
   #                 Marc Schumann <wurblzap@gmail.com>
   #%]
 
+<script [% script_nonce FILTER none %]>
+  document.addEventListener("DOMContentLoaded", function (event) {
+    document.querySelector("#attachment_data_controller").addEventListener(
+      "click", function (event) {
+        TUI_toggle_class('attachment_text_field');
+        TUI_toggle_class('attachment_data');
+      });
+  });
+</script>
+
 <tr class="attachment_data">
   <th><label for="data">File</label>:</th>
   <td>
     <em>Enter the path to the file on your computer</em> (or
-    <a id="attachment_data_controller" href="javascript:TUI_toggle_class('attachment_text_field');
-                                             javascript:TUI_toggle_class('attachment_data')"
-    >paste text as attachment</a>).<br>
+    <a id="attachment_data_controller">
+    paste text as attachment</a>).<br>
     <input type="file" id="data" name="data" size="50">
   </td>
 </tr>
@@ -58,7 +67,7 @@
     <input type="checkbox" id="ispatch" name="ispatch" value="1">
     <label for="ispatch">patch</label><br><br>
     [%# Reset this whenever the page loads so that the JS state is up to date %]
-    <script [% csp_nonce FILTER none %]>
+    <script [% script_nonce FILTER none %]>
       $(function() {
         $("#file").on("change", function() {
           DataFieldHandler();
diff --git a/template/en/default/attachment/diff-file.html.tmpl b/template/en/default/attachment/diff-file.html.tmpl
index 70fbf554ca..d510b5a5ea 100644
--- a/template/en/default/attachment/diff-file.html.tmpl
+++ b/template/en/default/attachment/diff-file.html.tmpl
@@ -45,7 +45,7 @@
     [% END %]
   [% END %]
 </td></tr></thead><tbody class="[% collapsed ? 'file_collapse' : 'file' %]">
-<script>
+<script [% script_nonce FILTER none %]>
 incremental_restore()
 </script>
 
diff --git a/template/en/default/attachment/edit.html.tmpl b/template/en/default/attachment/edit.html.tmpl
index 43bf4c83cd..d06d4ad563 100644
--- a/template/en/default/attachment/edit.html.tmpl
+++ b/template/en/default/attachment/edit.html.tmpl
@@ -219,7 +219,7 @@
                   <a href="attachment.cgi?id=[% attachment.id %]">View the attachment on a separate page</a>.</b>
                 </iframe>
               [% END %]
-              <script>
+              <script [% script_nonce FILTER none %]>
                 <!--
                 var patchviewerinstalled = 0;
                 var attachment_id = [% attachment.id %];
@@ -328,7 +328,7 @@
   [% END %]
 </div>
 [% IF can_edit %]
-  <script>
+  <script [% script_nonce FILTER none %]>
     <!--
       YAHOO.util.Dom.removeClass( document.body, "no_javascript" );
       toggle_attachment_details_visibility( );
diff --git a/template/en/default/attachment/list.html.tmpl b/template/en/default/attachment/list.html.tmpl
index 50800dd8e5..16e94586c9 100644
--- a/template/en/default/attachment/list.html.tmpl
+++ b/template/en/default/attachment/list.html.tmpl
@@ -19,7 +19,7 @@
   #                 Frédéric Buclin <LpSolit@gmail.com>
   #%]
 
-<script>
+<script [% script_nonce FILTER none %]>
 <!--
 function toggle_display(link) {
     var table = document.getElementById("attachment_table");
diff --git a/template/en/default/bug/comments.html.tmpl b/template/en/default/bug/comments.html.tmpl
index 2346983b29..7af08efdef 100644
--- a/template/en/default/bug/comments.html.tmpl
+++ b/template/en/default/bug/comments.html.tmpl
@@ -25,7 +25,7 @@
 <script src="[% 'js/comments.js' FILTER version %]">
 </script>
 
-<script>
+<script [% script_nonce FILTER none %]>
 <!--
   /* Adds the reply text to the 'comment' textarea */
   function replyToComment(id, real_id, name) {
@@ -191,13 +191,13 @@
             [% IF comment.collapsed %]
               </span>
             [% END %]
-            <script>
+            <script [% script_nonce FILTER none %]>
               addCollapseLink([% comment.count %], [% comment.collapsed FILTER js %], 'Toggle comment display');
             </script>
           </span>
         [% ELSIF comment.collapsed %]
           <span class="bz_comment_actions">
-            <script>
+            <script [% script_nonce FILTER none %]>
               addCollapseLink([% comment.count %], [% comment.collapsed FILTER js %], 'Toggle comment display');
             </script>
           </span>
@@ -270,7 +270,7 @@
                    [% " bz_default_hidden" UNLESS comment.tags.size %]">
           <span id="ct_[% comment.count %]">
             [% IF comment.tags.size %]
-              <script>
+              <script [% script_nonce FILTER none %]>
                 YAHOO.bugzilla.commentTagging.showTags([% comment.id FILTER none %],
                   [% comment.count FILTER none %], [
                 [% FOREACH tag = comment.tags %]
diff --git a/template/en/default/bug/create/create-guided.html.tmpl b/template/en/default/bug/create/create-guided.html.tmpl
index 9420f13303..a1c2c2e08e 100644
--- a/template/en/default/bug/create/create-guided.html.tmpl
+++ b/template/en/default/bug/create/create-guided.html.tmpl
@@ -41,7 +41,7 @@
 [% tablecolour = "#FFFFCC" %]
 
 [%# This script displays the descriptions for selected components. %]
-<script>
+<script [% script_nonce FILTER none %]>
 var descriptions = [
 [% FOREACH c = product.components %]
   '[% c.description FILTER js %]',
@@ -181,7 +181,7 @@ function PutDescription() {
           <td valign="top" width="100%">
               <div id="description" style="color: green; margin-left: 10px;
                                            height: 5em; overflow: auto;">
-                <script>
+                <script [% script_nonce FILTER none %]>
                   if ((document.getElementById) && (document.body.innerHTML)) {
                     document.write("\
                     Select a component to see its description here.");
diff --git a/template/en/default/bug/create/create.html.tmpl b/template/en/default/bug/create/create.html.tmpl
index 567c58d581..3185374e59 100644
--- a/template/en/default/bug/create/create.html.tmpl
+++ b/template/en/default/bug/create/create.html.tmpl
@@ -40,7 +40,7 @@
   onload = "init();"
 %]
 
-<script>
+<script [% script_nonce FILTER none %]>
 <!--
 
 function init() {
@@ -217,7 +217,7 @@ TUI_hide_default('attachment_text_field');
       <input type="button" id="expert_fields_controller"
              value="Hide Advanced Fields" onClick="toggleAdvancedFields()">
       [%# Show the link if the browser supports JS %]
-      <script>
+      <script [% script_nonce FILTER none %]>
         YAHOO.util.Dom.removeClass('expert_fields_controller',
                                    'bz_default_hidden');
       </script>
@@ -276,7 +276,7 @@ TUI_hide_default('attachment_text_field');
         [%- END %]
       </select>
 
-      <script>
+      <script [% script_nonce FILTER none %]>
        <!--
          [%+ INCLUDE "bug/field-events.js.tmpl"
                      field = bug_fields.component, product = product %]
@@ -492,7 +492,7 @@ TUI_hide_default('attachment_text_field');
       <th>Possible<br>Duplicates:</th>
       <td colspan="3">
         <div id="possible_duplicates"></div>
-        <script>
+        <script [% script_nonce FILTER none %]>
           var dt_columns = [
               { key: "id", label: "[% field_descs.bug_id FILTER js %]",
                 formatter: YAHOO.bugzilla.dupTable.formatBugLink },
diff --git a/template/en/default/bug/edit.html.tmpl b/template/en/default/bug/edit.html.tmpl
index 84a20b97eb..b424d55426 100644
--- a/template/en/default/bug/edit.html.tmpl
+++ b/template/en/default/bug/edit.html.tmpl
@@ -49,7 +49,7 @@
     </div>
   [% END %]
   [% IF user.id %]
-    <script>
+    <script [% script_nonce FILTER none %]>
       YAHOO.bugzilla.commentTagging.init([% user.can_tag_comments ? 'true' : 'false' %]);
       YAHOO.bugzilla.commentTagging.min_len = [% constants.MIN_COMMENT_TAG_LENGTH FILTER js %];
       YAHOO.bugzilla.commentTagging.max_len = [% constants.MAX_COMMENT_TAG_LENGTH FILTER js %];
@@ -64,7 +64,7 @@
   [% END %]
 [% END %]
 
-<script>
+<script [% script_nonce FILTER none %]>
 <!--
 [% IF user.is_timetracker %]
   var fRemainingTime = [% bug.remaining_time %]; // holds the original value
@@ -300,7 +300,7 @@
       </table>
     </div>
   </div>
-  <script>
+  <script [% script_nonce FILTER none %]>
     hideAliasAndSummary('[% bug.short_desc FILTER js %]', '[% bug.alias FILTER js %]');
   </script>
 [% END %]
@@ -591,7 +591,7 @@
     [%# BMO - hook for adding mentors %]
     [% Hook.process("after_people", "bug/edit.html.tmpl") %]
 
-    <script>
+    <script [% script_nonce FILTER none %]>
       assignToDefaultOnChange(['product', 'component'],
         '[% bug.component_obj.default_assignee.login FILTER js %]',
         '[% bug.component_obj.default_qa_contact.login FILTER js %]');
@@ -998,7 +998,7 @@
             [% IF !bug_flags_set %]<em>None yet set</em>[% END %]
             (<a href="#" id="bz_flags_more_action">[% IF !bug_flags_set %]set[% ELSE %]more[% END %] flags</a>)
           </span>
-          <script>
+          <script [% script_nonce FILTER none %]>
             YAHOO.util.Dom.removeClass('bz_flags_more_container', 'bz_default_hidden');
             var table = YAHOO.util.Dom.get("flags");
             var rows = YAHOO.util.Dom.getElementsByClassName('bz_flag_type', 'tbody', table);
@@ -1248,7 +1248,7 @@
 
 [% BLOCK summon_comment_box %]
 <div id="comment_top_hat">
-  <script>
+  <script [% script_nonce FILTER none %]>
     function summonCommentBox() {
         var commentbox = document.getElementById('add_comment');
         document.getElementById('comment_top_hat').appendChild(commentbox);
diff --git a/template/en/default/bug/field.html.tmpl b/template/en/default/bug/field.html.tmpl
index b9bee6de35..1d6048cdd0 100644
--- a/template/en/default/bug/field.html.tmpl
+++ b/template/en/default/bug/field.html.tmpl
@@ -74,7 +74,7 @@
 
       <div id="con_calendar_[% field.name FILTER html %]"></div>
 
-      <script>
+      <script [% script_nonce FILTER none %]>
         createCalendar('[% field.name FILTER js %]')
       </script>
     [% CASE constants.FIELD_TYPE_BUG_ID %]
@@ -91,7 +91,7 @@
         <span id="[% field.name FILTER html %]_edit_container" class="edit_me bz_default_hidden">
           (<a href="#" id="[% field.name FILTER html %]_edit_action">edit</a>)
         </span>
-        <script>
+        <script [% script_nonce FILTER none %]>
         hideEditableField('[% field.name FILTER js %]_edit_container',
                           '[% field.name FILTER js %]_input_area',
                           '[% field.name FILTER js %]_edit_action',
@@ -175,7 +175,7 @@
           <input type="hidden" name="defined_[% field.name FILTER html %]">
         [% END %]
 
-        <script>
+        <script [% script_nonce FILTER none %]>
         <!--
           initHidingOptionsForIE('[% field.name FILTER js %]');
           [%+ INCLUDE "bug/field-events.js.tmpl"
@@ -197,7 +197,7 @@
             id = field.name name = field.name minrows = 4 maxrows = 8
             cols = 60 defaultcontent = value mandatory = field.is_mandatory %]
        </div>
-       <script>
+       <script [% script_nonce FILTER none %]>
          hideEditableField('[% field.name FILTER js %]_edit_container',
                            '[% field.name FILTER js %]_input',
                            '[% field.name FILTER js %]_edit_action',
@@ -230,7 +230,7 @@
                   [% IF !bug.id %]value="[% value FILTER html %]"[% END %]>
          </div>
          [% IF bug.id %]
-           <script>
+           <script [% script_nonce FILTER none %]>
              setupEditLink('[% field.name FILTER js %]');
            </script>
          [% END %]
@@ -241,7 +241,7 @@
               name="[% field.name FILTER html %]"
               data-values="[% field.name FILTER html %]"
               value="[% value FILTER html %]">
-       <script>
+       <script [% script_nonce FILTER none %]>
           if (typeof BUGZILLA.autocomplete_values === 'undefined')
             BUGZILLA.autocomplete_values = [];
           BUGZILLA.autocomplete_values['[% field.name FILTER js %]'] = [
diff --git a/template/en/default/bug/knob.html.tmpl b/template/en/default/bug/knob.html.tmpl
index a0a5dc647b..16aa160f6e 100644
--- a/template/en/default/bug/knob.html.tmpl
+++ b/template/en/default/bug/knob.html.tmpl
@@ -70,7 +70,7 @@
   [% END %]
 </div>
 
-<script>
+<script [% script_nonce FILTER none %]>
   var close_status_array = [
     [% FOREACH status = bug.choices.bug_status %]
       [% NEXT IF status.is_open %]
diff --git a/template/en/default/bug/summarize-time.html.tmpl b/template/en/default/bug/summarize-time.html.tmpl
index 120bd74ad0..9f2742694a 100644
--- a/template/en/default/bug/summarize-time.html.tmpl
+++ b/template/en/default/bug/summarize-time.html.tmpl
@@ -341,7 +341,7 @@
 </tr></table>
 
 </form>
-<script>
+<script [% script_nonce FILTER none %]>
 <!--
   createCalendar('start_date');
   createCalendar('end_date');
diff --git a/template/en/default/list/edit-multiple.html.tmpl b/template/en/default/list/edit-multiple.html.tmpl
index 427acba376..eb989d15cc 100644
--- a/template/en/default/list/edit-multiple.html.tmpl
+++ b/template/en/default/list/edit-multiple.html.tmpl
@@ -28,7 +28,7 @@
 <input type="hidden" name="dontchange" value="[% dontchange FILTER html %]">
 <input type="hidden" name="token" value="[% token FILTER html %]">
 
-<script>
+<script [% script_nonce FILTER none %]>
   function SetCheckboxes(value) {
       var elements = document.forms.changeform.getElementsByTagName('input'),
           numelements = elements.length,
@@ -328,7 +328,7 @@
 
 [% IF groups.size > 0 %]
 
-  <script>
+  <script [% script_nonce FILTER none %]>
     function turn_off(myself, id) {
         var other_checkbox = document.getElementById(id);
         if (myself.checked && other_checkbox) {
@@ -443,7 +443,7 @@
   </select>
   </span>
 
-  <script>
+  <script [% script_nonce FILTER none %]>
   var close_status_array = new Array("[% closed_status_array.join('", "') FILTER none %]");
     YAHOO.util.Event.addListener('bug_status', "change", showHideStatusItems, '[% "is_duplicate" IF bug.dup_id %]');
     YAHOO.util.Event.onDOMReady( showHideStatusItems );
diff --git a/template/en/default/list/quips.html.tmpl b/template/en/default/list/quips.html.tmpl
index 671722c850..8714fec7d8 100644
--- a/template/en/default/list/quips.html.tmpl
+++ b/template/en/default/list/quips.html.tmpl
@@ -140,7 +140,7 @@
         [% END %]
         </tbody>
       </table>
-      <script><!--
+      <script [% script_nonce FILTER none %]><!--
         var numelements = document.forms.editform.elements.length;
         function SetCheckboxes(value) {
           var item;
diff --git a/template/en/default/mfa/duo/verify.html.tmpl b/template/en/default/mfa/duo/verify.html.tmpl
index 799efba7b7..f3f49657a4 100644
--- a/template/en/default/mfa/duo/verify.html.tmpl
+++ b/template/en/default/mfa/duo/verify.html.tmpl
@@ -84,7 +84,7 @@ $(function() {
   [% END %]
 </form>
 
-<script>
+<script [% script_nonce FILTER none %]>
   Duo.init({
     'host': '[% Param('duo_host') FILTER js %]',
     'sig_request': '[% sig_request FILTER js %]',
diff --git a/template/en/default/reports/create-chart.html.tmpl b/template/en/default/reports/create-chart.html.tmpl
index 1e6945ebc6..e20d8522f0 100644
--- a/template/en/default/reports/create-chart.html.tmpl
+++ b/template/en/default/reports/create-chart.html.tmpl
@@ -33,7 +33,7 @@
   donames = 1 
 %]
 
-<script>
+<script [% script_nonce FILTER none %]>
 [%# This function takes necessary action on selection of a subcategory %]
 function subcatSelected() {
   var cat = document.chartform.category.value;
@@ -55,6 +55,15 @@ function subcatSelected() {
   
   checkNewState();
 }
+document.addEventListener("DOMContentLoaded", function(event) {
+  document.chartform.category.addEventListener("change", function (event) {
+    catSelected();
+    return subcatSelected();
+  });
+  document.chartform.subcategory.addEventListener("change", function (event) {
+    return subcatSelected();
+  });
+});
 </script>
   
 [% gttext = "Grand Total" %]
@@ -79,23 +88,20 @@ function subcatSelected() {
         </th>
       </tr>
       <tr>
-      
-        [% PROCESS series_select sel = { name => 'category', 
-                                         size => 5,
-                                         onchange = "catSelected();
-                                                     subcatSelected();" } %]
-                                   
+
+        [% PROCESS series_select sel = { name => 'category',
+                                         size => 5 } %]
+
         <td>
           <noscript>
             <input type="submit" name="action-assemble" value="Update --&gt;"
                    id="action-assemble">
           </noscript>
         </td>
-        
-        [% PROCESS series_select sel = { name => 'subcategory', 
-                                         size => 5,
-                                         onchange = "subcatSelected()" } %]
-                                   
+
+        [% PROCESS series_select sel = { name => 'subcategory',
+                                         size => 5 } %]
+
         <td>
           <noscript>
             <input type="submit" name="action-assemble" value="Update --&gt;"
diff --git a/template/en/default/reports/keywords.html.tmpl b/template/en/default/reports/keywords.html.tmpl
index 97a2d44d2f..491bac78e6 100644
--- a/template/en/default/reports/keywords.html.tmpl
+++ b/template/en/default/reports/keywords.html.tmpl
@@ -34,7 +34,7 @@
   title = "$terms.Bugzilla Keyword Descriptions"
 %]
 
-<script>
+<script [% script_nonce FILTER none %]>
  $(document).ready(function () {
      var show_inactive_keywords = [% show_inactive_keywords ? "true" : "false" FILTER none %],
          link = $("#keywords_show_hide"),
diff --git a/template/en/default/reports/report-table.html.tmpl b/template/en/default/reports/report-table.html.tmpl
index e8f926f64a..096eb171ab 100644
--- a/template/en/default/reports/report-table.html.tmpl
+++ b/template/en/default/reports/report-table.html.tmpl
@@ -46,7 +46,7 @@
   [% urlbase = BLOCK %][% urlbase %]&amp;[% tbl_field FILTER uri %]=[% tbl FILTER uri %][% END %]
 [% END %]
 
-<script>
+<script [% script_nonce FILTER none %]>
 function bz_encode (str, decode) {
   // First decode HTML entities, if requested.
   if (decode)
diff --git a/template/en/default/reports/series-common.html.tmpl b/template/en/default/reports/series-common.html.tmpl
index 469eb79c51..b8032255d1 100644
--- a/template/en/default/reports/series-common.html.tmpl
+++ b/template/en/default/reports/series-common.html.tmpl
@@ -29,7 +29,7 @@
 [% subcategory = category.${default.category} %]
 [% name = subcategory.${default.subcategory} %]
 
-<script>
+<script [% script_nonce FILTER none %]>
 [%# This structure holds details of the series the user can select from. %]
 var series = {
 [% FOREACH c = category.keys.sort %]
diff --git a/template/en/default/reports/series.html.tmpl b/template/en/default/reports/series.html.tmpl
index 3cf9390039..164c303551 100644
--- a/template/en/default/reports/series.html.tmpl
+++ b/template/en/default/reports/series.html.tmpl
@@ -29,7 +29,16 @@
 [% PROCESS "reports/series-common.html.tmpl"
    newtext = "New (name below)" 
  %]
-  
+
+<script [% script_nonce FILTER none %]>
+  document.addEventListener("DOMContentLoaded", function (event) {
+    if (document.chartform) {
+      document.chartform.category.addEventListener("change", (event) => catSelected());
+      document.chartform.subcategory.addEventListener("change", (event) => checkNewState());
+    }
+  });
+</script>
+
 <table cellpadding="2" cellspacing="2" border="0"
        style="text-align: left; margin-left: 20px">
   <tbody>
@@ -42,19 +51,17 @@
     </tr>
     <tr>
       [% PROCESS series_select sel = { name => 'category',
-                                       size => 5,
-                                       onchange => "catSelected()" } %]
+                                       size => 5 } %]
         <td>
           <noscript>
             <input type="submit" name="action-edit" value="Update --&gt;"
                    id="action-edit">
           </noscript>
         </td>
-        
-      [% PROCESS series_select sel = { name => 'subcategory', 
-                                       size => 5,
-                                       onchange => "checkNewState()" } %]
-        
+
+      [% PROCESS series_select sel = { name => 'subcategory',
+                                       size => 5 } %]
+
       <td valign="top" name="name">
         <input type="text" name="name" maxlength="64" 
                value="[% default.name.0 FILTER html %]" size="25">
diff --git a/template/en/default/request/queue.html.tmpl b/template/en/default/request/queue.html.tmpl
index d40281f506..c4b48b024b 100644
--- a/template/en/default/request/queue.html.tmpl
+++ b/template/en/default/request/queue.html.tmpl
@@ -31,7 +31,7 @@
   style_urls = ['skins/standard/buglist.css']
 %]
 
-<script>
+<script [% script_nonce FILTER none %]>
   var useclassification = false; // No classification level in use
   var first_load = true; // Is this the first time we load the page?
   var last_sel = []; // Caches last selection
diff --git a/template/en/default/search/boolean-charts.html.tmpl b/template/en/default/search/boolean-charts.html.tmpl
index 455cb48b86..767ea75634 100644
--- a/template/en/default/search/boolean-charts.html.tmpl
+++ b/template/en/default/search/boolean-charts.html.tmpl
@@ -70,7 +70,7 @@
     with_buttons = 1
     condition = { f => 'noop' }
     cond_num = cond_num + 1 %]
-  <script>
+  <script [% script_nonce FILTER none %]>
     TUI_alternates['custom_search_query'] = '&#9658;';
     TUI_hide_default('custom_search_query');
     TUI_alternates['custom_search_advanced'] = "Show Advanced Features";
@@ -78,7 +78,7 @@
   </script>
   <script src="[% 'js/custom-search.js' FILTER version %]"></script>
   <script src="[% 'js/history.js/native.history.js' FILTER version %]"></script>
-  <script>
+  <script [% script_nonce FILTER none %]>
     redirect_html4_browsers();
     [%# These are alternative labels for the AND and OR options in and_all_select %]
     var cs_and_label = 'Match ALL of the following:';
diff --git a/template/en/default/search/field.html.tmpl b/template/en/default/search/field.html.tmpl
index 0d10d4f6ba..456cf088a0 100644
--- a/template/en/default/search/field.html.tmpl
+++ b/template/en/default/search/field.html.tmpl
@@ -63,7 +63,7 @@
            [% IF onchange %] onchange="[% onchange FILTER html %]"[% END %]
            value="[% value FILTER html %]"
            data-values="[% field.name FILTER html %]">
-    <script>
+    <script [% script_nonce FILTER none %]>
       if (typeof BUGZILLA.autocomplete_values === 'undefined')
         BUGZILLA.autocomplete_values = [];
       BUGZILLA.autocomplete_values['[% field.name FILTER js %]'] = [
@@ -100,7 +100,7 @@
     <small>(YYYY-MM-DD or relative dates)</small>
     
     <span id="con_calendar_[% field.name FILTER html %]to"></span>
-    <script>
+    <script [% script_nonce FILTER none %]>
       createCalendar('[% field.name FILTER js %]');
       createCalendar('[% field.name FILTER js %]to');
     </script>
diff --git a/template/en/default/search/form.html.tmpl b/template/en/default/search/form.html.tmpl
index 49c3118066..4d78a53da5 100644
--- a/template/en/default/search/form.html.tmpl
+++ b/template/en/default/search/form.html.tmpl
@@ -23,7 +23,7 @@
 
 [% PROCESS "global/field-descs.none.tmpl" %]
 
-<script>
+<script [% script_nonce FILTER none %]>
 
 var first_load = true;         [%# is this the first time we load the page? %]
 var last_sel = new Array();    [%# caches last selection %]
@@ -394,7 +394,7 @@ TUI_hide_default('information_query');
                          onclick="showCalendar('chfieldto')"><span>Calendar</span></button>
           <div id="con_calendar_chfieldto"></div>
     (YYYY-MM-DD or relative dates)
-    <script>
+    <script [% script_nonce FILTER none %]>
       createCalendar('chfieldfrom');
       createCalendar('chfieldto');
     </script>
diff --git a/template/en/default/search/search-create-series.html.tmpl b/template/en/default/search/search-create-series.html.tmpl
index 335448de9e..e0b7ff5623 100644
--- a/template/en/default/search/search-create-series.html.tmpl
+++ b/template/en/default/search/search-create-series.html.tmpl
@@ -56,7 +56,7 @@
   <input type="hidden" name="action" value="create">
   <input type="hidden" name="token" value="[% issue_hash_token(['create-series']) FILTER html %]">
 
-<script>
+<script [% script_nonce FILTER none %]>
   document.chartform.category[0].selected = true;
   catSelected();
   checkNewState();
diff --git a/template/en/default/search/search-instant.html.tmpl b/template/en/default/search/search-instant.html.tmpl
index 01af804fc9..d0cf078e7e 100644
--- a/template/en/default/search/search-instant.html.tmpl
+++ b/template/en/default/search/search-instant.html.tmpl
@@ -19,7 +19,7 @@
   [% default.product = [ 'Firefox' ] %]
 [% END %]
 
-<script>
+<script [% script_nonce FILTER none %]>
 YAHOO.bugzilla.instantSearch.setLabels( {
   id: "[% field_descs.bug_id FILTER js %]",
   summary: "[% field_descs.short_desc FILTER js %]",
diff --git a/template/en/default/search/search-report-graph.html.tmpl b/template/en/default/search/search-report-graph.html.tmpl
index df9c9e8ade..57ca8a8e99 100644
--- a/template/en/default/search/search-report-graph.html.tmpl
+++ b/template/en/default/search/search-report-graph.html.tmpl
@@ -46,7 +46,7 @@ var queryform = "reportform"
   [% terms.bugs %] using the rest of the form.
 </p>
 
-<script><!--
+<script [% script_nonce FILTER none %]><!--
   [%# The Y-axis fields are not used for pie charts %]
   function chartTypeChanged() {
     // format[2] is the pie chart radio button
-- 
2.47.3