Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add the ability to set the CSP nonce only to the specified directives #36534

Merged
merged 1 commit into from Jul 2, 2019
Merged

Add the ability to set the CSP nonce only to the specified directives #36534

merged 1 commit into from Jul 2, 2019

Conversation

y-yagi
Copy link
Member

@y-yagi y-yagi commented Jun 22, 2019

I changed to set CSP nonce to style-src directive in #32932.
But this causes an issue when unsafe-inline is specified to style-src (If a nonce is present, a nonce takes precedence over unsafe-inline).

So, I fixed to nonce directives configurable. By configure this, users can make CSP as before.

Fixes #35137.

@y-yagi
Add the ability to set the CSP nonce only to the specified directives
09d55b3 
I changed to set CSP nonce to `style-src` directive in rails#32932.
But this causes an issue when `unsafe-inline` is specified to `style-src`
(If a nonce is present, a nonce takes precedence over `unsafe-inline`).

So, I fixed to nonce directives configurable. By configure this, users
can make CSP as before.

Fixes rails#35137.
@y-yagi y-yagi requested a review from pixeltrix June 22, 2019 03:46
@y-yagi y-yagi mentioned this pull request Jun 29, 2019
Closed
@y-yagi y-yagi merged commit 141b306 into rails:master Jul 2, 2019
@y-yagi y-yagi deleted the fixes_35137 branch July 2, 2019 23:23
y-yagi added a commit that referenced this pull request Jul 2, 2019
@y-yagi
Merge pull request #36534 from y-yagi/fixes_35137
a23128a 
Add the ability to set the CSP nonce only to the specified directives
@ajesler ajesler mentioned this pull request Jul 1, 2020
Open
bendilley
bendilley reviewed Feb 21, 2024
View reviewed changes
actionpack/lib/action_dispatch/http/content_security_policy.rb
def nonce_directive?(directive)
NONCE_DIRECTIVES.include?(directive)
def nonce_directive?(directive, nonce_directives)
nonce_directives.include?(directive)
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

To account for this being overridden in the controller with 'unsafe-inline' :

      nonce_directives.include?(directive) &&
      !directives[directive].include?(MAPPINGS[:unsafe_inline])

I have a situation where I'd like to default to nonce-generation, but go unsafe-inline for some requests.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bendilley bendilley bendilley left review comments

@pixeltrix pixeltrix pixeltrix approved these changes

Assignees
No one assigned
Labels
actionpack railties
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

style-src should not have a nonce when you enable application.config.content_security_policy_nonce_generator
3 participants
@y-yagi @pixeltrix @bendilley