mirror of
https://github.com/rails/rails.git
synced 2022-11-09 12:12:34 -05:00
31abee0341
Because the UJS library creates a script tag to process responses it normally requires the script-src attribute of the content security policy to include 'unsafe-inline'. To work around this we generate a per-request nonce value that is embedded in a meta tag in a similar fashion to how CSRF protection embeds its token in a meta tag. The UJS library can then read the nonce value and set it on the dynamically generated script tag to enable it to execute without needing 'unsafe-inline' enabled. Nonce generation isn't 100% safe - if your script tag is including user generated content in someway then it may be possible to exploit an XSS vulnerability which can take advantage of the nonce. It is however an improvement on a blanket permission for inline scripts. It is also possible to use the nonce within your own script tags by using `nonce: true` to set the nonce value on the tag, e.g <%= javascript_tag nonce: true do %> alert('Hello, World!'); <% end %> Fixes #31689.
68 lines
1.6 KiB
Ruby
68 lines
1.6 KiB
Ruby
# frozen_string_literal: true
|
|
|
|
require "active_support/benchmarkable"
|
|
|
|
module ActionView #:nodoc:
|
|
module Helpers #:nodoc:
|
|
extend ActiveSupport::Autoload
|
|
|
|
autoload :ActiveModelHelper
|
|
autoload :AssetTagHelper
|
|
autoload :AssetUrlHelper
|
|
autoload :AtomFeedHelper
|
|
autoload :CacheHelper
|
|
autoload :CaptureHelper
|
|
autoload :ControllerHelper
|
|
autoload :CspHelper
|
|
autoload :CsrfHelper
|
|
autoload :DateHelper
|
|
autoload :DebugHelper
|
|
autoload :FormHelper
|
|
autoload :FormOptionsHelper
|
|
autoload :FormTagHelper
|
|
autoload :JavaScriptHelper, "action_view/helpers/javascript_helper"
|
|
autoload :NumberHelper
|
|
autoload :OutputSafetyHelper
|
|
autoload :RecordTagHelper
|
|
autoload :RenderingHelper
|
|
autoload :SanitizeHelper
|
|
autoload :TagHelper
|
|
autoload :TextHelper
|
|
autoload :TranslationHelper
|
|
autoload :UrlHelper
|
|
autoload :Tags
|
|
|
|
def self.eager_load!
|
|
super
|
|
Tags.eager_load!
|
|
end
|
|
|
|
extend ActiveSupport::Concern
|
|
|
|
include ActiveSupport::Benchmarkable
|
|
include ActiveModelHelper
|
|
include AssetTagHelper
|
|
include AssetUrlHelper
|
|
include AtomFeedHelper
|
|
include CacheHelper
|
|
include CaptureHelper
|
|
include ControllerHelper
|
|
include CspHelper
|
|
include CsrfHelper
|
|
include DateHelper
|
|
include DebugHelper
|
|
include FormHelper
|
|
include FormOptionsHelper
|
|
include FormTagHelper
|
|
include JavaScriptHelper
|
|
include NumberHelper
|
|
include OutputSafetyHelper
|
|
include RecordTagHelper
|
|
include RenderingHelper
|
|
include SanitizeHelper
|
|
include TagHelper
|
|
include TextHelper
|
|
include TranslationHelper
|
|
include UrlHelper
|
|
end
|
|
end
|