mirror of
https://github.com/rails/rails.git
synced 2022-11-09 12:12:34 -05:00
31abee0341
Because the UJS library creates a script tag to process responses it
normally requires the script-src attribute of the content security
policy to include 'unsafe-inline'.
To work around this we generate a per-request nonce value that is
embedded in a meta tag in a similar fashion to how CSRF protection
embeds its token in a meta tag. The UJS library can then read the
nonce value and set it on the dynamically generated script tag to
enable it to execute without needing 'unsafe-inline' enabled.
Nonce generation isn't 100% safe - if your script tag is including
user generated content in someway then it may be possible to exploit
an XSS vulnerability which can take advantage of the nonce. It is
however an improvement on a blanket permission for inline scripts.
It is also possible to use the nonce within your own script tags by
using `nonce: true` to set the nonce value on the tag, e.g
<%= javascript_tag nonce: true do %>
alert('Hello, World!');
<% end %>
Fixes #31689.
86 lines
2.4 KiB
Ruby
86 lines
2.4 KiB
Ruby
# frozen_string_literal: true
|
|
|
|
require "rack"
|
|
require "rails"
|
|
require "action_controller/railtie"
|
|
require "action_view/railtie"
|
|
require "blade"
|
|
require "json"
|
|
|
|
module UJS
|
|
class Server < Rails::Application
|
|
routes.append do
|
|
get "/rails-ujs.js" => Blade::Assets.environment
|
|
get "/" => "tests#index"
|
|
match "/echo" => "tests#echo", via: :all
|
|
get "/error" => proc { |env| [403, {}, []] }
|
|
end
|
|
|
|
config.cache_classes = false
|
|
config.eager_load = false
|
|
config.secret_key_base = "59d7a4dbd349fa3838d79e330e39690fc22b931e7dc17d9162f03d633d526fbb92dfdb2dc9804c8be3e199631b9c1fbe43fc3e4fc75730b515851849c728d5c7"
|
|
config.paths["app/views"].unshift("#{Rails.root}/views")
|
|
config.public_file_server.enabled = true
|
|
config.logger = Logger.new(STDOUT)
|
|
config.log_level = :error
|
|
|
|
config.content_security_policy do |policy|
|
|
policy.default_src :self, :https
|
|
policy.font_src :self, :https, :data
|
|
policy.img_src :self, :https, :data
|
|
policy.object_src :none
|
|
policy.script_src :self, :https
|
|
policy.style_src :self, :https
|
|
end
|
|
|
|
config.content_security_policy_nonce_generator = ->(req) { SecureRandom.base64(16) }
|
|
end
|
|
end
|
|
|
|
module TestsHelper
|
|
def test_to(*names)
|
|
names = names.map { |name| "/test/#{name}.js" }
|
|
names = %w[/vendor/qunit.js /test/settings.js] + names
|
|
|
|
capture do
|
|
names.each do |name|
|
|
concat(javascript_include_tag(name))
|
|
end
|
|
end
|
|
end
|
|
end
|
|
|
|
class TestsController < ActionController::Base
|
|
helper TestsHelper
|
|
layout "application"
|
|
|
|
def index
|
|
render :index
|
|
end
|
|
|
|
def echo
|
|
data = { params: params.to_unsafe_h }.update(request.env)
|
|
|
|
if params[:content_type] && params[:content]
|
|
render inline: params[:content], content_type: params[:content_type]
|
|
elsif request.xhr?
|
|
render json: JSON.generate(data)
|
|
elsif params[:iframe]
|
|
payload = JSON.generate(data).gsub("<", "<").gsub(">", ">")
|
|
html = <<-HTML
|
|
<script nonce="#{request.content_security_policy_nonce}">
|
|
if (window.top && window.top !== window)
|
|
window.top.jQuery.event.trigger('iframe:loaded', #{payload})
|
|
</script>
|
|
<p>You shouldn't be seeing this. <a href="#{request.env['HTTP_REFERER']}">Go back</a></p>
|
|
HTML
|
|
|
|
render html: html.html_safe
|
|
else
|
|
render plain: "ERROR: #{request.path} requested without ajax", status: 404
|
|
end
|
|
end
|
|
end
|
|
|
|
Blade.initialize!
|
|
UJS::Server.initialize!
|