kotovalexarian-likes-github/rails--rails
1
0
Fork 0
mirror of https://github.com/rails/rails.git synced 2022-11-09 12:12:34 -05:00
Code Releases Activity
rails--rails/actionview/app/assets/javascripts
History
Andrew White 31abee0341 Add support for automatic nonce generation for Rails UJS 
Because the UJS library creates a script tag to process responses it
normally requires the script-src attribute of the content security
policy to include 'unsafe-inline'.

To work around this we generate a per-request nonce value that is
embedded in a meta tag in a similar fashion to how CSRF protection
embeds its token in a meta tag. The UJS library can then read the
nonce value and set it on the dynamically generated script tag to
enable it to execute without needing 'unsafe-inline' enabled.

Nonce generation isn't 100% safe - if your script tag is including
user generated content in someway then it may be possible to exploit
an XSS vulnerability which can take advantage of the nonce. It is
however an improvement on a blanket permission for inline scripts.

It is also possible to use the nonce within your own script tags by
using `nonce: true` to set the nonce value on the tag, e.g

    <%= javascript_tag nonce: true do %>
      alert('Hello, World!');
    <% end %>

Fixes #31689.
2018-02-19 15:59:34 +00:00
..
rails-ujs Add support for automatic nonce generation for Rails UJS 2018-02-19 15:59:34 +00:00
MIT-LICENSE Bump license years for 2018 2017-12-31 22:36:55 +09:00
rails-ujs.coffee Reorganize rails-ujs files 2017-03-30 14:41:17 -04:00
README.md Update rails-ujs readme 2018-01-29 19:18:35 -05:00

README.md

Ruby on Rails unobtrusive scripting adapter

This unobtrusive scripting support file is developed for the Ruby on Rails framework, but is not strictly tied to any specific backend. You can drop this into any application to:

  • force confirmation dialogs for various actions;
  • make non-GET requests from hyperlinks;
  • make forms or hyperlinks submit data asynchronously with Ajax;
  • have submit buttons become automatically disabled on form submit to prevent double-clicking.

These features are achieved by adding certain data attributes to your HTML markup. In Rails, they are added by the framework's template helpers.

Optional prerequisites

Note that the data attributes this library adds are a feature of HTML5. If you're not targeting HTML5, these attributes may make your HTML to fail validation. However, this shouldn't create any issues for web browsers or other user agents.

Installation

NPM

npm install rails-ujs --save

Yarn

yarn add rails-ujs

Usage

Asset pipeline

In a conventional Rails application that uses the asset pipeline, require rails-ujs in your application.js manifest:

//= require rails-ujs

ES2015+

If you're using the Webpacker gem or some other JavaScript bundler, add the following to your main JS file:

import Rails from 'rails-ujs';
Rails.start()

How to run tests

Run bundle exec rake ujs:server first, and then run the web tests by visiting http://localhost:4567 in your browser.

License

rails-ujs is released under the MIT License.