mirror of
https://github.com/rails/rails.git
synced 2022-11-09 12:12:34 -05:00
96937335d1
Currently `csp_meta_tag` generates `name` attribute only. However, in libraries like `Material-UI` and `JSS`, expect that the meta tag that contains the nonce with `property` attribute. https://material-ui.com/css-in-js/advanced/#how-does-one-implement-csp https://github.com/cssinjs/jss/blob/master/docs/csp.md This patch allows `csp_meta_tag` to specify arbitrary options and allows `nonce` to be passed to those libraries.
26 lines
679 B
Ruby
26 lines
679 B
Ruby
# frozen_string_literal: true
|
|
|
|
module ActionView
|
|
# = Action View CSP Helper
|
|
module Helpers #:nodoc:
|
|
module CspHelper
|
|
# Returns a meta tag "csp-nonce" with the per-session nonce value
|
|
# for allowing inline <script> tags.
|
|
#
|
|
# <head>
|
|
# <%= csp_meta_tag %>
|
|
# </head>
|
|
#
|
|
# This is used by the Rails UJS helper to create dynamically
|
|
# loaded inline <script> elements.
|
|
#
|
|
def csp_meta_tag(**options)
|
|
if content_security_policy?
|
|
options[:name] = "csp-nonce"
|
|
options[:content] = content_security_policy_nonce
|
|
tag("meta", options)
|
|
end
|
|
end
|
|
end
|
|
end
|
|
end
|