Content Security Policy

[jmstfv]

@markets 👋

I have enabled a Content Security Policy but that breaks invisible captcha since inlined CSS changes every second. I can make it work by setting style-src to unsafe-inline but that's more of a hack.

Is there a way to insert a nonce to a generated<style> tag?

[markets]

Hi @jmstfv 👋 to be honest I didn't tried yet this combination: CSP + invisible_captcha. So not sure what's happening here...

Couple of comments:

• generated <style> tag doesn't allow any kind of override right now:

  invisible_captcha/lib/invisible_captcha/view_helpers.rb

  Line 57 in 02b9eb9

  content_tag(:style, media: 'screen') do

• styles can be injected in <head> using the injectable_styles option: https://github.com/markets/invisible_captcha#plugin-options

[jmstfv]

I see.

One way of doing it would be adding html_options parameter that we could then pass along to the content_tag:

html_options[:nonce] = content_security_policy_nonce if html_options[:nonce] == true

content_tag(:style, media: 'screen', html_options) do

Then users could pass nonce: true attribute, just like here (scroll to the bottom of that section).

<%= invisible_captcha_styles nonce: true %>

Here is the sample code that demonstrates that: slim-template/slim#810 (comment)

Are you open for a PR?

[markets]

Ok @jmstfv PRs for CSP support are welcome!

About the implementation, it's seems fine to me to allow html_options to be passed to the syle TAG, but we should make it work for both options: injectable_styles = true | false.

Maybe we can use the options argument, which is passed along the methods and actually used to allow other custom options:

invisible_captcha/lib/invisible_captcha/view_helpers.rb

Line 25 in 02b9eb9

def build_invisible_captcha(honeypot = nil, scope = nil, options = {})

=>

invisible_captcha/lib/invisible_captcha/view_helpers.rb

Line 48 in 02b9eb9

def visibility_css(css_class, options)

Thanks.