New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow to pass options to csp_meta_tag
#35269
Allow to pass options to csp_meta_tag
#35269
Conversation
@@ -14,9 +14,11 @@ module CspHelper | |||
# This is used by the Rails UJS helper to create dynamically | |||
# loaded inline <script> elements. | |||
# | |||
def csp_meta_tag | |||
def csp_meta_tag(options = {}) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How about using splat hash?
Since Ruby 2.6, this options hash would cause a warning like here:
def foo(a = {})
a
end
a = { foo: "foo" }
p foo(a.merge(bar: "bar"))
p foo(**a, bar: "bar")
% ruby -w xxx.rb
{:foo=>"foo", :bar=>"bar"}
xxx.rb:1: warning: in `foo': the last argument was passed as a single Hash
xxx.rb:8: warning: although a splat keyword arguments here
{:foo=>"foo", :bar=>"bar"}
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks, make sense. I fixed.
1c436a5
to
c9e682d
Compare
tag("meta", name: "csp-nonce", content: content_security_policy_nonce) | ||
options[:name] = "csp-nonce" | ||
options[:content] = content_security_policy_nonce | ||
tag("meta", options) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could switch to tag.meta while we’re here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What about keeping the line the same but unsplatting the options at the end of the tag call?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In tag("meta")
and tag.meta
, the generated tags are slightly different.
helper.tag("meta", name: "csp-nonce")
#=> "<meta name=\"csp-nonce\" />"
helper.tag.meta(name: "csp-nonce")
#=> "<meta name=\"csp-nonce\">
Of course, since meta tag is a void element, it is not necessary to have a close tag. However, the tag generated by csrf_meta_tags
have a close tag, and I think that it is better to behave similarly so that the closing tag is generated.
What about keeping the line the same but unsplatting the options at the end of the tag call?
👍 I fixed.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What about keeping the line the same but unsplatting the options at the end of the tag call?
It would cause a warning https://travis-ci.org/rails/rails/jobs/493601600#L1254-L1256.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I screwed up! Thanks again!
c9e682d
to
3f6b618
Compare
Currently `csp_meta_tag` generates `name` attribute only. However, in libraries like `Material-UI` and `JSS`, expect that the meta tag that contains the nonce with `property` attribute. https://material-ui.com/css-in-js/advanced/#how-does-one-implement-csp https://github.com/cssinjs/jss/blob/master/docs/csp.md This patch allows `csp_meta_tag` to specify arbitrary options and allows `nonce` to be passed to those libraries.
3f6b618
to
9693733
Compare
Currently
csp_meta_tag
generatesname
attribute only.However, in libraries like
Material-UI
andJSS
, expect that the meta tag that contains the nonce withproperty
attribute.https://material-ui.com/css-in-js/advanced/#how-does-one-implement-csp
https://github.com/cssinjs/jss/blob/master/docs/csp.md
This patch allows
csp_meta_tag
to specify arbitrary options and allowsnonce
to be passed to those libraries.