Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Copy CSP nonce to script element inside turbo frames #291

Merged
merged 1 commit into from
Jun 30, 2021
Merged

Copy CSP nonce to script element inside turbo frames #291

merged 1 commit into from
Jun 30, 2021

Conversation

CiTroNaK
Copy link
Contributor

PR #192 added support to evaluate script elements in turbo frames. I found out, that it worked for me only when CSP was disabled or sets with unsafe_inline for script_src.

This small change allows to use it when the CSP nonce generation is used in the application.

I am sorry, but I was not able to find a way how to write a proper test for it. Any help with that will be very welcomed. I only tested it locally with the latest Rails with this CSP setting:

Rails.application.config.content_security_policy do |policy|
  policy.script_src :self, :https
end

Rails.application.config.content_security_policy_nonce_generator = -> request { SecureRandom.base64(16) }
Rails.application.config.content_security_policy_nonce_directives = %w[script-src]

Thank you for any feedback or help with this PR 🙂

@CiTroNaK CiTroNaK mentioned this pull request Jun 28, 2021
Open
@dhh
Copy link
Member

dhh commented Jun 30, 2021

This is good. Yeah, we should get a proper CSP test case setup. But let's work on that in a second step.

@dhh dhh marked this pull request as ready for review June 30, 2021 23:00
@dhh dhh merged commit 5d216a0 into hotwired:main Jun 30, 2021
KjellMorgenstern pushed a commit to KjellMorgenstern/turbo-todos that referenced this pull request Aug 24, 2022
Update gems. This resolves issues with the CSP, probably through hotw…
cd26d11 
…ired/turbo#291
KjellMorgenstern pushed a commit to KjellMorgenstern/turbo-todos that referenced this pull request Aug 24, 2022
Update gems. This resolves issues with the CSP, probably through hotw…
303e33a 
…ired/turbo#291
KjellMorgenstern pushed a commit to KjellMorgenstern/turbo-todos that referenced this pull request Sep 13, 2022
Update gems. This resolves issues with the CSP, probably through hotw…
7eee9f3 
…ired/turbo#291
@evgenyneu evgenyneu mentioned this pull request Oct 28, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@CiTroNaK @dhh