Allow to pass options to csp_meta_tag
#35269
Conversation
| @@ -14,9 +14,11 @@ module CspHelper | |||
| # This is used by the Rails UJS helper to create dynamically | |||
| # loaded inline <script> elements. | |||
| # | |||
| def csp_meta_tag | |||
| def csp_meta_tag(options = {}) | |||
There was a problem hiding this comment.
How about using splat hash?
Since Ruby 2.6, this options hash would cause a warning like here:
def foo(a = {})
a
end
a = { foo: "foo" }
p foo(a.merge(bar: "bar"))
p foo(**a, bar: "bar")% ruby -w xxx.rb
{:foo=>"foo", :bar=>"bar"}
xxx.rb:1: warning: in `foo': the last argument was passed as a single Hash
xxx.rb:8: warning: although a splat keyword arguments here
{:foo=>"foo", :bar=>"bar"}
There was a problem hiding this comment.
Thanks, make sense. I fixed.
y-yagi
force-pushed
the
allow_to_pass_options_to_csp_meta_tag
branch
from
1c436a5
to
c9e682d
Compare
| tag("meta", name: "csp-nonce", content: content_security_policy_nonce) | ||
| options[:name] = "csp-nonce" | ||
| options[:content] = content_security_policy_nonce | ||
| tag("meta", options) |
There was a problem hiding this comment.
Could switch to tag.meta while we’re here.
There was a problem hiding this comment.
What about keeping the line the same but unsplatting the options at the end of the tag call?
There was a problem hiding this comment.
In tag("meta") and tag.meta, the generated tags are slightly different.
helper.tag("meta", name: "csp-nonce")
#=> "<meta name=\"csp-nonce\" />"
helper.tag.meta(name: "csp-nonce")
#=> "<meta name=\"csp-nonce\"> Of course, since meta tag is a void element, it is not necessary to have a close tag. However, the tag generated by csrf_meta_tags have a close tag, and I think that it is better to behave similarly so that the closing tag is generated.
What about keeping the line the same but unsplatting the options at the end of the tag call?
👍 I fixed.
There was a problem hiding this comment.
What about keeping the line the same but unsplatting the options at the end of the tag call?
It would cause a warning https://travis-ci.org/rails/rails/jobs/493601600#L1254-L1256.
There was a problem hiding this comment.
I screwed up! Thanks again!
y-yagi
force-pushed
the
allow_to_pass_options_to_csp_meta_tag
branch
from
c9e682d
to
3f6b618
Compare
Currently `csp_meta_tag` generates `name` attribute only. However, in libraries like `Material-UI` and `JSS`, expect that the meta tag that contains the nonce with `property` attribute. https://material-ui.com/css-in-js/advanced/#how-does-one-implement-csp https://github.com/cssinjs/jss/blob/master/docs/csp.md This patch allows `csp_meta_tag` to specify arbitrary options and allows `nonce` to be passed to those libraries.
y-yagi
force-pushed
the
allow_to_pass_options_to_csp_meta_tag
branch
from
3f6b618
to
9693733
Compare
Currently
csp_meta_taggeneratesnameattribute only.However, in libraries like
Material-UIandJSS, expect that the meta tag that contains the nonce withpropertyattribute.https://material-ui.com/css-in-js/advanced/#how-does-one-implement-csp
https://github.com/cssinjs/jss/blob/master/docs/csp.md
This patch allows
csp_meta_tagto specify arbitrary options and allowsnonceto be passed to those libraries.