Merge pull request #292 from twitter/view_helper

add content_security_policy_script/style_nonce to view helper
github · Sep 29, 2016 · 7801462 · 7801462
2 parents a85b80c + 6f0c453
commit 7801462
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 0 deletions.
diff --git a/lib/secure_headers/view_helper.rb b/lib/secure_headers/view_helper.rb
@@ -34,6 +34,14 @@ def content_security_policy_nonce(type)
       end
     end
 
+    def content_security_policy_script_nonce
+      content_security_policy_nonce(:script)
+    end
+
+    def content_security_policy_style_nonce
+      content_security_policy_nonce(:style)
+    end
+
     ##
     # Checks to see if the hashed code is expected and adds the hash source
     # value to the current CSP.

diff --git a/spec/lib/secure_headers/view_helpers_spec.rb b/spec/lib/secure_headers/view_helpers_spec.rb
@@ -27,6 +27,16 @@ def self.template
     background-color: black;
   }
 <% end %>
+
+<script nonce="<%= content_security_policy_script_nonce %>">
+  alert(1)
+</script>
+
+<style nonce="<%= content_security_policy_style_nonce %>">
+  body {
+    background-color: black;
+  }
+</style>
 <%= @name %>
 
 TEMPLATE