Add rename_csp_helper_nonce_attribute ActionView configuration to avoid value exfiltration #51729
Conversation
…ttribute This PR allows Turbo to support rails/rails#51729 to allow using the `nonce` attribute as well as the `content` attribute. As described in rails/rails#51580 (comment) this makes it harder to extract the nonce value.
|
I added a commit to change UJS as well. It changes UJS to check for the nonce attribute first, and if absent falls back to the content attribute. |
|
UJS is dead #50535, so those files should not be changed |
codergeek121
force-pushed
the
csp-meta-tag-content-to-nonce
branch
from
c9ac6cf
to
4294d40
Compare
|
I removed the UJS changes, thank you for the hint! Since I'd be happy to adapt 👍 |
Adds a configuration to rename the csp helper attribute name. It's disabled by default currently until the JS libraries are updated to the new attribute name and Rails can ship with a new default attribute name. Fixes rails#51580
codergeek121
force-pushed
the
csp-meta-tag-content-to-nonce
branch
from
4294d40
to
68a83a2
Compare
Even with a major version, we still have to follow the deprecation cycle. |
|
Thank you for the link/info @zzak! Can we still deprecate this in 7.2, or should we deprecate this in 8.0? There's no |
Adds a configuration to rename the CSP helper attribute name to avoid value exfiltration as described in #51580 (comment)
It's disabled by default currently until the JS libraries are updated to the new attribute name and Rails can ship with a new default attribute name.
Fixes the Rails part #51580. See this PR for a potential fix in Turbo: https://github.com/hotwired/turbo/pull/1254/files
If this approach makes sense in general, I'd try to fix ujs as well 👍