set approriate crossorigin for js and css preload links

2022-11-09 12:12:34 -05:00 · 2020-10-21 18:18:30 -04:00 · 2020-10-21 18:18:30 -04:00 · 815e724bea
commit 815e724bea
parent 7cc2b57b8d
2 changed files with 16 additions and 1 deletions
--- a/actionview/lib/action_view/helpers/asset_tag_helper.rb
+++ b/actionview/lib/action_view/helpers/asset_tag_helper.rb
@ -88,16 +88,20 @@ module ActionView
        path_options = options.extract!("protocol", "extname", "host", "skip_pipeline").symbolize_keys
        preload_links = []
        nopush = options["nopush"].nil? ? true : options.delete("nopush")
+        crossorigin = options.delete("crossorigin")
+        crossorigin = "anonymous" if crossorigin == true

        sources_tags = sources.uniq.map { |source|
          href = path_to_javascript(source, path_options)
          unless options["defer"]
            preload_link = "<#{href}>; rel=preload; as=script"
+            preload_link += "; crossorigin=#{crossorigin}" unless crossorigin.nil?
            preload_link += "; nopush" if nopush
            preload_links << preload_link
          end
          tag_options = {
-            "src" => href
+            "src" => href,
+            "crossorigin" => crossorigin
          }.merge!(options)
          if tag_options["nonce"] == true
            tag_options["nonce"] = content_security_policy_nonce
@ -142,16 +146,20 @@ module ActionView
        options = sources.extract_options!.stringify_keys
        path_options = options.extract!("protocol", "host", "skip_pipeline").symbolize_keys
        preload_links = []
+        crossorigin = options.delete("crossorigin")
+        crossorigin = "anonymous" if crossorigin == true
        nopush = options["nopush"].nil? ? true : options.delete("nopush")

        sources_tags = sources.uniq.map { |source|
          href = path_to_stylesheet(source, path_options)
          preload_link = "<#{href}>; rel=preload; as=style"
+          preload_link += "; crossorigin=#{crossorigin}" unless crossorigin.nil?
          preload_link += "; nopush" if nopush
          preload_links << preload_link
          tag_options = {
            "rel" => "stylesheet",
            "media" => "screen",
+            "crossorigin" => crossorigin,
            "href" => href
          }.merge!(options)
          tag(:link, tag_options)
--- a/actionview/test/template/asset_tag_helper_test.rb
+++ b/actionview/test/template/asset_tag_helper_test.rb
@ -528,6 +528,13 @@ class AssetTagHelperTest < ActionView::TestCase
    assert_equal expected, @response.headers["Link"]
  end

+  def test_should_set_preload_links_with_cross_origin
+    stylesheet_link_tag("http://example.com/style.css", crossorigin: "use-credentials")
+    javascript_include_tag("http://example.com/all.js", crossorigin: true)
+    expected = "<http://example.com/style.css>; rel=preload; as=style; crossorigin=use-credentials; nopush,<http://example.com/all.js>; rel=preload; as=script; crossorigin=anonymous; nopush"
+    assert_equal expected, @response.headers["Link"]
+  end
+
  def test_image_path
    ImagePathToTag.each { |method, tag| assert_dom_equal(tag, eval(method)) }
  end