Index: openacs-4/packages/acs-templating/tcl/head-procs.tcl
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/acs-templating/tcl/head-procs.tcl,v
diff -u -r1.20.2.7 -r1.20.2.8
--- openacs-4/packages/acs-templating/tcl/head-procs.tcl	14 Sep 2016 06:37:47 -0000	1.20.2.7
+++ openacs-4/packages/acs-templating/tcl/head-procs.tcl	15 Sep 2016 10:00:37 -0000	1.20.2.8
@@ -125,6 +125,17 @@
         if {$script eq ""} {
             error "You must supply either -src or -script."
         }
+
+        #
+        # For the time being, not all browsers support
+        # nonces. According to the spects the added 'unsafe-inline',
+        # is ignored on browsers supporting nonces.
+        # 
+        # We could restrict setting of unsafe-inline to certain
+        # browsers by checking the user agent.
+        #
+        security::csp::require script-src 'unsafe-inline'
+
         lappend ::template::head::scripts(anonymous) $type "" $charset $defer $async $script $order $crossorigin $integrity
     } else {
         set ::template::head::scripts($src) [list $type $src $charset $defer $async "" $order $crossorigin $integrity]