Fullpage redirect with JavaScript doesn't work in Rails 5.2 due to `Content Security Policy`

[damhonglinh]

Reproduce steps:

1. In Chrome, go to https://myapp-domain.com/login?shop=abc.myshopify.com
2. You will see an error in DevTools console: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' https:". Either the 'unsafe-inline' keyword, a hash ('sha256-sometokenhere='), or a nonce ('nonce-...') is required to enable inline execution

This happens in Rails 5.2 (for example I use 5.2.0.beta2) and is due to a new security feature in Rails 5.2: rails/rails#31162

[damhonglinh]

A quick fix I can think of is adding this code to those controllers that use fullpage redirect:

content_security_policy do |p|
  p.script_src(:self, :https, :unsafe_inline)
end

Or an even quicker fix, add :unsafe_inline to p.script_src in your Rails.application.config.content_security_policy (usually in ./config/initializers/content_security_policy.rb file)

[EiNSTeiN-]

looks like this will need to be moved to a .js asset: https://github.com/Shopify/shopify_app/blob/master/lib/shopify_app/controller_concerns/login_protection.rb#L81-L99

[EiNSTeiN-]

I opened a tentative fix here: #537 (not tested yet)

[jamiemtdwyer]

#537 fixes the redirect issue, but there is still more work to be done for getting CSP in Rails 5.2 to work perfectly. I'm tracking the remaining work here.