trade-tariff · rasikasri · Nov 30, 2023 · Nov 30, 2023 · Dec 1, 2023 · Dec 1, 2023
diff --git a/app/views/layouts/application.html.erb b/app/views/layouts/application.html.erb
@@ -18,9 +18,9 @@
   </head>
 
   <body class="govuk-template__body ">
-    <script>
-      document.body.className = ((document.body.className) ? document.body.className + ' js-enabled' : 'js-enabled');
-    </script>
+    <%= javascript_tag nonce: true do -%>
+        document.body.className = ((document.body.className) ? document.body.className + ' js-enabled' : 'js-enabled');
+    <% end -%>
 
     <a href="#main-content" class="govuk-skip-link" data-module="govuk-skip-link">Skip to main content</a>
 

diff --git a/app/webpacker/javascripts/markdown-preview.js b/app/webpacker/javascripts/markdown-preview.js
@@ -1,28 +1,37 @@
-import $ from 'jquery';
-import 'jquery.autosize' ;
-
-$(document).ready(function(){
+document.addEventListener("DOMContentLoaded", function () {
   var Previewer = {
-    preview: function(content, output) {
-      $.ajax({
-        type: 'POST',
-        url: "/govspeak",
-        data: { govspeak: content.val() },
-        dataType: 'json'
-      }).done(function(data){
-        output.html(data['govspeak']);
-      });
-    }
+    preview: function (content, output) {
+      fetch("/govspeak", {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json",
+        },
+        body: JSON.stringify({ govspeak: content.value }),
+      })
+          .then(function (response) {
+            return response.json();
+          })
+          .then(function (data) {
+            output.innerHTML = data.govspeak;
+          })
+          .catch(function (error) {
+            console.error("Error:", error);
+          });
+    },
   };
 
-  $("[data-preview]").each(function(){
-    var source_field = $($(this).data('preview-for'));
-    var render_area = $(this);
+  document.querySelectorAll("[data-preview]").forEach(function (element) {
+    var source_field = document.querySelector(element.dataset.previewFor);
+    var render_area = element;
 
-    source_field.keyup(function() {
+    source_field.addEventListener("input", function () {
       Previewer.preview(source_field, render_area);
-    })
+    });
   });
 
-  $('textarea').autosize();
-});
+  document.querySelectorAll("textarea").forEach(function (textarea) {
+    textarea.addEventListener("input", function () {
+      autosize(this);
+    });
+  });
+});
diff --git a/config/initializers/content_security_policy.rb b/config/initializers/content_security_policy.rb
@@ -4,23 +4,23 @@
 # For further information see the following documentation
 # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
 
-# Rails.application.configure do
-#   config.content_security_policy do |policy|
-#     policy.default_src :self, :https
-#     policy.font_src    :self, :https, :data
-#     policy.img_src     :self, :https, :data
-#     policy.object_src  :none
-#     policy.script_src  :self, :https
-#     policy.style_src   :self, :https
-#     # Specify URI for violation reports
-#     # policy.report_uri "/csp-violation-report-endpoint"
-#   end
-#
+Rails.application.configure do
+  config.content_security_policy do |policy|
+    policy.default_src :self, :https
+    policy.font_src    :self, :https, :data
+    policy.img_src     :self, :https, :data
+    policy.object_src  :none
+    policy.script_src  :self, :https
+    policy.style_src   :self, :https
+    # Specify URI for violation reports
+    policy.report_uri ENV['SENTRY_CSP_ENDPOINT'] if ENV['SENTRY_CSP_ENDPOINT'].present?
+  end
+
 #   # Generate session nonces for permitted importmap and inline scripts
-#   config.content_security_policy_nonce_generator = ->(request) { request.session.id.to_s }
-#   config.content_security_policy_nonce_directives = %w(script-src)
+  config.content_security_policy_nonce_generator = ->(request) { request.session.id.to_s }
+  # config.content_security_policy_nonce_directives = %w(script-src)
 #
 #   # Report CSP violations to a specified URI. See:
 #   # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only
-#   # config.content_security_policy_report_only = true
-# end
+#   config.content_security_policy_report_only = true
+end
diff --git a/package.json b/package.json
@@ -3,6 +3,7 @@
   "private": true,
   "dependencies": {
     "@rails/webpacker": "^5.4.4",
+    "autosize": "^6.0.1",
     "chart.js": "^4.4.0",
     "govuk-frontend": "^4.7.0",
     "jquery": "^3.7.1",

diff --git a/yarn.lock b/yarn.lock
@@ -1803,6 +1803,11 @@ autoprefixer@^9.6.1:
     postcss "^7.0.32"
     postcss-value-parser "^4.1.0"
 
+autosize@^6.0.1:
+  version "6.0.1"
+  resolved "https://registry.yarnpkg.com/autosize/-/autosize-6.0.1.tgz#64ee78dd7029be959eddd3afbbd33235b957e10f"
+  integrity sha512-f86EjiUKE6Xvczc4ioP1JBlWG7FKrE13qe/DxBCpe8GCipCq2nFw73aO8QEBKHfSbYGDN5eB9jXWKen7tspDqQ==
+
 available-typed-arrays@^1.0.5:
   version "1.0.5"
   resolved "https://registry.yarnpkg.com/available-typed-arrays/-/available-typed-arrays-1.0.5.tgz#92f95616501069d07d10edb2fc37d3e1c65123b7"