Merge pull request #32607 from yaroslav/feature/nonce-for-javascript_include_tag

Add the `nonce: true` option for `javascript_include_tag` helper.
2022-11-09 12:12:34 -05:00 · 2018-04-18 18:49:27 +01:00 · 2018-04-18 18:49:27 +01:00 · 185fce1597
commit 185fce1597
parent 7bcb04c73d 47013a7126
4 changed files with 28 additions and 0 deletions
--- a/actionview/CHANGELOG.md
+++ b/actionview/CHANGELOG.md
@ -1,3 +1,9 @@
+*   Add the `nonce: true` option for `javascript_include_tag` helper to
+    support automatic nonce generation for Content Security Policy.
+    Works the same way as `javascript_tag nonce: true` does.
+
+    *Yaroslav Markin*
+
 *   Remove `ActionView::Helpers::RecordTagHelper`.

    *Yoshiyuki Hirano*
--- a/actionview/lib/action_view/helpers/asset_tag_helper.rb
+++ b/actionview/lib/action_view/helpers/asset_tag_helper.rb
@ -55,6 +55,8 @@ module ActionView
      #   that path.
      # * <tt>:skip_pipeline</tt>  - This option is used to bypass the asset pipeline
      #   when it is set to true.
+      # * <tt>:nonce<tt>  - When set to true, adds an automatic nonce value if
+      #   you have Content Security Policy enabled.
      #
      # ==== Examples
      #
@ -79,6 +81,9 @@ module ActionView
      #
      #   javascript_include_tag "http://www.example.com/xmlhr.js"
      #   # => <script src="http://www.example.com/xmlhr.js"></script>
+      #
+      #   javascript_include_tag "http://www.example.com/xmlhr.js", nonce: true
+      #   # => <script src="http://www.example.com/xmlhr.js" nonce="..."></script>
      def javascript_include_tag(*sources)
        options = sources.extract_options!.stringify_keys
        path_options = options.extract!("protocol", "extname", "host", "skip_pipeline").symbolize_keys
@ -90,6 +95,9 @@ module ActionView
          tag_options = {
            "src" => href
          }.merge!(options)
+          if tag_options["nonce"] == true
+            tag_options["nonce"] = content_security_policy_nonce
+          end
          content_tag("script".freeze, "", tag_options)
        }.join("\n").html_safe

--- a/actionview/test/template/asset_tag_helper_test.rb
+++ b/actionview/test/template/asset_tag_helper_test.rb
@ -29,6 +29,10 @@ class AssetTagHelperTest < ActionView::TestCase
    "http://www.example.com"
  end

+  def content_security_policy_nonce
+    "iyhD0Yc0W+c="
+  end
+
  AssetPathToTag = {
    %(asset_path(""))             => %(),
    %(asset_path("   "))          => %(),
@ -421,6 +425,10 @@ class AssetTagHelperTest < ActionView::TestCase
    assert_dom_equal %(<script src="//assets.example.com/javascripts/prototype.js"></script>), javascript_include_tag("prototype")
  end

+  def test_javascript_include_tag_nonce
+    assert_dom_equal %(<script src="/javascripts/bank.js" nonce="iyhD0Yc0W+c="></script>), javascript_include_tag("bank", nonce: true)
+  end
+
  def test_stylesheet_path
    StylePathToTag.each { |method, tag| assert_dom_equal(tag, eval(method)) }
  end
--- a/guides/source/security.md
+++ b/guides/source/security.md
@ -1182,6 +1182,12 @@ as part of `html_options`. Example:
 <% end -%>
 ```

+The same works with `javascript_include_tag`:
+
+```html+erb
+<%= javascript_include_tag "script", nonce: true %>
+```
+
 Use [`csp_meta_tag`](http://api.rubyonrails.org/classes/ActionView/Helpers/CspHelper.html#method-i-csp_meta_tag)
 helper to create a meta tag "csp-nonce" with the per-session nonce value
 for allowing inline `<script>` tags.