Index: openacs-4/packages/acs-bootstrap-installer/installer/www/blank-master.tcl
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/acs-bootstrap-installer/installer/www/blank-master.tcl,v
diff -u -N -r1.2.2.7 -r1.2.2.8
--- openacs-4/packages/acs-bootstrap-installer/installer/www/blank-master.tcl	9 Sep 2016 08:12:25 -0000	1.2.2.7
+++ openacs-4/packages/acs-bootstrap-installer/installer/www/blank-master.tcl	12 Sep 2016 08:29:49 -0000	1.2.2.8
@@ -239,7 +239,8 @@
                 if (document.forms[form_name].elements[element_name].type == 'hidden') return;
                 
                 document.forms[form_name].elements[element_name].focus();
-            }}
+            };
+        }
         append focus_script "acs_Focus('${form_name}', '${element_name}');\n"
         template::add_body_script -script $focus_script
     } else {
Index: openacs-4/packages/acs-tcl/tcl/security-procs.tcl
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/acs-tcl/tcl/security-procs.tcl,v
diff -u -N -r1.78.2.27 -r1.78.2.28
--- openacs-4/packages/acs-tcl/tcl/security-procs.tcl	9 Sep 2016 08:27:11 -0000	1.78.2.27
+++ openacs-4/packages/acs-tcl/tcl/security-procs.tcl	12 Sep 2016 08:29:49 -0000	1.78.2.28
@@ -340,9 +340,17 @@
     Logs the user out. 
 } {
     set domain [parameter::get -parameter CookieDomain -package_id [ad_acs_kernel_id]]
-
-    ad_unset_cookie -domain $domain -secure f ad_session_id
-    ad_unset_cookie -domain $domain -secure t ad_session_id
+    #
+    # Use the same "secure" setting for unsetting the cookie as it was
+    # used for setting the cookie. The implementation is not 100%
+    # correct, for cases, when the parameter value for
+    # "SecureSessionCookie" was altered during a session, but this
+    # should be a seldom border case.
+    #
+    ad_unset_cookie -domain $domain -secure [expr {[parameter::get \
+                            -parameter SecureSessionCookie \
+                            -package_id [ad_acs_kernel_id] \
+                            -default 0] ? "t" : "f"}] ad_session_id
     ad_unset_cookie -domain $domain -secure f ad_user_login
     ad_unset_cookie -domain $domain -secure t ad_secure_token
     ad_unset_cookie -domain $domain -secure t ad_user_login_secure
@@ -2038,9 +2046,18 @@
         security::csp::require script-src 'self'
         security::csp::require style-src 'self'
         security::csp::require img-src 'self'
+        security::csp::require font-src 'self'
 
         #
-        # Always add the nonce-token to script-src
+        # Always add the nonce-token to script-src. Note, that nonce
+        # definition comes via CSP 2, which - at the current time - is
+        # not supported by all browsers interpreting CSPs. We could
+        # add a "unsafe-inline" here, since the spec defines that when
+        # 'unsafe-inline' and a 'nonce-source' is used, the
+        # 'unsafe-inline'" will have no effect
+        # (https://w3c.github.io/webappsec-csp/ § 6.6.2.2.). However,
+        # some security checkers just look for 'unsafe-inline' and
+        # downgrade the rating without honoring the 'nonce-src'.
         #
         security::csp::require script-src 'nonce-$nonce'
         
@@ -2049,26 +2066,12 @@
         # style="...">) would be allowed.
         #
         security::csp::require style-src 'unsafe-inline'
-        
+
         #
-        # Check for invalid combination to avoid unexpected behavior
+        # Define a report URI to ease debugging. CSP 3 will support a
+        # "report-to" directive, but will still support "report-uri".
         #
-        foreach directive {script-src style-src} {
-            #
-            # The combination of 'unsafe-inline' with a hash or nonce is
-            # not possible, since 'unsafe-inline' is ignored in such
-            # cases.
-            #
-            set var ::__csp__directive($directive)
-            if {[info exists $var] && "'unsafe-inline'" in [set $var]} {
-                foreach prefix {nonce sha256 sha384 sha512} {
-                    set p [lsearch -glob [set $var] '$prefix-*']
-                    if {$p > -1} {
-                        set $var [lreplace [set $var] $p $p]
-                    }
-                }
-            }
-        }
+        security::csp::require report-uri /SYSTEM/csp-collector.tcl
 
         set policy ""
         foreach directive {
Index: openacs-4/www/blank-master.tcl
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/www/blank-master.tcl,v
diff -u -N -r1.56.2.8 -r1.56.2.9
--- openacs-4/www/blank-master.tcl	9 Sep 2016 08:12:25 -0000	1.56.2.8
+++ openacs-4/www/blank-master.tcl	12 Sep 2016 08:29:49 -0000	1.56.2.9
@@ -239,7 +239,8 @@
                 if (document.forms[form_name].elements[element_name].type == 'hidden') return;
                 
                 document.forms[form_name].elements[element_name].focus();
-            }}
+            };
+        }
         append focus_script "acs_Focus('${form_name}', '${element_name}');\n"
         template::add_body_script -script $focus_script
     } else {