kotovalexarian-likes-github/rails--rails

Fork 0

mirror of https://github.com/rails/rails.git synced 2022-11-09 12:12:34 -05:00

Commit graph

Author SHA1 Message Date

Author	SHA1	Message	Date
yuuji.yaginuma	96937335d1	Allow to pass options to `csp_meta_tag` Currently `csp_meta_tag` generates `name` attribute only. However, in libraries like `Material-UI` and `JSS`, expect that the meta tag that contains the nonce with `property` attribute. https://material-ui.com/css-in-js/advanced/#how-does-one-implement-csp https://github.com/cssinjs/jss/blob/master/docs/csp.md This patch allows `csp_meta_tag` to specify arbitrary options and allows `nonce` to be passed to those libraries.	2019-02-16 09:36:37 +09:00
Andrew White	31abee0341	Add support for automatic nonce generation for Rails UJS Because the UJS library creates a script tag to process responses it normally requires the script-src attribute of the content security policy to include 'unsafe-inline'. To work around this we generate a per-request nonce value that is embedded in a meta tag in a similar fashion to how CSRF protection embeds its token in a meta tag. The UJS library can then read the nonce value and set it on the dynamically generated script tag to enable it to execute without needing 'unsafe-inline' enabled. Nonce generation isn't 100% safe - if your script tag is including user generated content in someway then it may be possible to exploit an XSS vulnerability which can take advantage of the nonce. It is however an improvement on a blanket permission for inline scripts. It is also possible to use the nonce within your own script tags by using `nonce: true` to set the nonce value on the tag, e.g <%= javascript_tag nonce: true do %> alert('Hello, World!'); <% end %> Fixes #31689.	2018-02-19 15:59:34 +00:00

yuuji.yaginuma

96937335d1

Allow to pass options to csp_meta_tag

Currently `csp_meta_tag` generates `name` attribute only.
However, in libraries like `Material-UI` and `JSS`, expect that the meta tag
that contains the nonce with `property` attribute.

https://material-ui.com/css-in-js/advanced/#how-does-one-implement-csp
https://github.com/cssinjs/jss/blob/master/docs/csp.md

This patch allows `csp_meta_tag` to specify arbitrary options and
allows `nonce` to be passed to those libraries.

2019-02-16 09:36:37 +09:00

Andrew White

31abee0341

Add support for automatic nonce generation for Rails UJS

Because the UJS library creates a script tag to process responses it
normally requires the script-src attribute of the content security
policy to include 'unsafe-inline'.

To work around this we generate a per-request nonce value that is
embedded in a meta tag in a similar fashion to how CSRF protection
embeds its token in a meta tag. The UJS library can then read the
nonce value and set it on the dynamically generated script tag to
enable it to execute without needing 'unsafe-inline' enabled.

Nonce generation isn't 100% safe - if your script tag is including
user generated content in someway then it may be possible to exploit
an XSS vulnerability which can take advantage of the nonce. It is
however an improvement on a blanket permission for inline scripts.

It is also possible to use the nonce within your own script tags by
using `nonce: true` to set the nonce value on the tag, e.g

    <%= javascript_tag nonce: true do %>
      alert('Hello, World!');
    <% end %>

Fixes #31689.

2018-02-19 15:59:34 +00:00

2 commits