Index: openacs-4/packages/acs-tcl/acs-tcl.info
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/acs-tcl/acs-tcl.info,v
diff -u -r1.70.2.19 -r1.70.2.20
--- openacs-4/packages/acs-tcl/acs-tcl.info	6 Sep 2016 17:33:55 -0000	1.70.2.19
+++ openacs-4/packages/acs-tcl/acs-tcl.info	13 Sep 2016 08:23:29 -0000	1.70.2.20
@@ -9,7 +9,7 @@
     <implements-subsite-p>f</implements-subsite-p>
     <inherit-templates-p>t</inherit-templates-p>
     
-    <version name="5.9.1d11" url="http://openacs.org/repository/download/apm/acs-tcl-5.9.1d11.apm">
+    <version name="5.9.1d12" url="http://openacs.org/repository/download/apm/acs-tcl-5.9.1d12.apm">
         <owner url="http://openacs.org">OpenACS</owner>
         <summary>The Kernel Tcl API library.</summary>
         <release-date>2016-05-15</release-date>
@@ -18,7 +18,7 @@
         <license>GPL version 2</license>
         <maturity>3</maturity>
 
-        <provides url="acs-tcl" version="5.9.1d11"/>
+        <provides url="acs-tcl" version="5.9.1d12"/>
         <requires url="acs-bootstrap-installer" version="5.9.0"/>
         <requires url="acs-kernel" version="5.9.1d11"/>
 
Index: openacs-4/packages/acs-tcl/tcl/security-procs.tcl
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/acs-tcl/tcl/security-procs.tcl,v
diff -u -r1.78.2.28 -r1.78.2.29
--- openacs-4/packages/acs-tcl/tcl/security-procs.tcl	12 Sep 2016 08:29:49 -0000	1.78.2.28
+++ openacs-4/packages/acs-tcl/tcl/security-procs.tcl	13 Sep 2016 08:23:29 -0000	1.78.2.29
@@ -2021,7 +2021,7 @@
     }
 
     # security::csp::require style-src 'unsafe-inline'
-    ad_proc -public ::security::csp::require {directive value} {
+    ad_proc -public ::security::csp::require {{-force:boolean} directive value} {
         Add a single value to a CSP directive
         @directive name of the directive (such as e.g. style-src)
         @value allowed source for this page (such as e.g. unsafe-inline)
@@ -2030,6 +2030,13 @@
         if {![info exists $var] || $value ni [set $var]} {
             lappend $var $value
         }
+        if {$force_p} {
+            ns_log notice "CSP: forcing $directive $value"
+            set var ::__csp__directive_forced($directive)
+            if {![info exists $var] || $value ni [set $var]} {
+                lappend $var $value
+            }
+        }
     }
 
     ad_proc -public ::security::csp::render {} {
@@ -2059,7 +2066,18 @@
         # some security checkers just look for 'unsafe-inline' and
         # downgrade the rating without honoring the 'nonce-src'.
         #
-        security::csp::require script-src 'nonce-$nonce'
+        # Another problem is mixed content. When we set the nonce-src
+        # and 'unsafe-inline', and a browser honoring nonces ignores
+        # the 'unsafe-inline', but some javascript framework requires
+        # it (e.g ckeditor4), we have a problem. Therefore, an
+        # application can force "'unsafe-inline'" which means that we
+        # do not set the nonce-src in such cases.
+        #
+        if {![info exists ::__csp__directive_forced(script-src)]
+            || "'unsafe-inline'" ni $::__csp__directive_forced(script-src)
+        } {
+            security::csp::require script-src 'nonce-$nonce'
+        }
         
         # We need for the time being 'unsafe-inline' for style-src,
         # otherwise not even the style attribute (e.g. <p