1
0
Fork 0
mirror of https://github.com/rails/rails.git synced 2022-11-09 12:12:34 -05:00
Commit graph

6 commits

Author SHA1 Message Date
Andrew White
31abee0341 Add support for automatic nonce generation for Rails UJS
Because the UJS library creates a script tag to process responses it
normally requires the script-src attribute of the content security
policy to include 'unsafe-inline'.

To work around this we generate a per-request nonce value that is
embedded in a meta tag in a similar fashion to how CSRF protection
embeds its token in a meta tag. The UJS library can then read the
nonce value and set it on the dynamically generated script tag to
enable it to execute without needing 'unsafe-inline' enabled.

Nonce generation isn't 100% safe - if your script tag is including
user generated content in someway then it may be possible to exploit
an XSS vulnerability which can take advantage of the nonce. It is
however an improvement on a blanket permission for inline scripts.

It is also possible to use the nonce within your own script tags by
using `nonce: true` to set the nonce value on the tag, e.g

    <%= javascript_tag nonce: true do %>
      alert('Hello, World!');
    <% end %>

Fixes #31689.
2018-02-19 15:59:34 +00:00
ta1kt0me
8b22725c78 Enable to call Rails.ajax without beforeSend 2017-10-28 12:13:19 +09:00
Marc Rendl Ignacio
0093ce16b3 Add jQuery to test vendor files
... so that we can run most, if not all, of rails-ujs
tests without necessarily requiring an internet connection.
2017-07-20 20:49:05 +08:00
Rafael Mendonça França
fe4a5706ac
Test rails-ujs in our travis matrix 2017-02-22 13:49:28 -05:00
Guillermo Iguaran
41c33bd4b2 Import rails-ujs v0.1.0 from rails/rails-ujs 2017-02-20 14:29:55 +09:00
Guillermo Iguaran
02568801e6 Add UJS tests 2016-11-26 01:23:07 -05:00