Skip to content
Permalink
Branch: master
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
72 lines (52 sloc) 1.77 KB

Content Security Policy (CSP)

Chartkick tries to make CSP as easy as possible. Currently, unsafe-inline styles must be enabled for charts to work. There are open issues to resolve this with some of the charting libraries.

Google Charts also requires unsafe-eval and as well as styles and scripts from the https://www.gstatic.com domain.

Rails 5.2

Rails 5.2 has built-in support for CSP. Configure CSP and enable automatic nonce generation in config/initializers/content_security_policy.rb with:

Rails.application.config.content_security_policy do |policy|
  policy.script_src  :self
  policy.style_src   :self
end

Rails.application.config.content_security_policy_nonce_generator = -> request { SecureRandom.base64(16) }

Enable unsafe inline styles on actions that have charts

class ChartsController < ApplicationController
  content_security_policy only: :index do |policy|
    policy.style_src :self, :unsafe_inline
  end
end

And create an initializer with:

Chartkick.options[:nonce] = true

Secure Headers

Configure CSP in config/initializers/secure_headers.rb with:

SecureHeaders::Configuration.default do |config|
  config.csp = {
    default_src: %w('none'),
    script_src: %w('self'),
    style_src: %w('self')
  }
end

SecureHeaders::Configuration.named_append(:charts) do |request|
  {style_src: %w('unsafe-inline')}
end

Enable unsafe inline styles on actions that have charts

class ChartsController < ApplicationController
  def index
    use_content_security_policy_named_append(:charts)
  end
end

And create an initializer with:

Chartkick.options[:nonce] = true
You can’t perform that action at this time.