New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add the nonce: true
option for javascript_include_tag
helper.
#32607
Add the nonce: true
option for javascript_include_tag
helper.
#32607
Conversation
r? @schneems (@rails-bot has picked a reviewer for you, use r? to override) |
r? @pixeltrix |
94917e9
to
47013a7
Compare
@yaroslav thanks! |
…include_tag Add the `nonce: true` option for `javascript_include_tag` helper.
Is there a reason this can't just default to Why do I have specifically to pass If you are using a strict CSP (and you should be), it seems like you would want a nonce added to every But it is all too easy to forget to manually add And since it only adds an automatic nonce value if you have Content Security Policy enabled, I would think it would be a safe default. So my question is, why wouldn't you want it to always add the nonce? https://csp.withgoogle.com/docs/strict-csp.html recommends:
To that end, I've been overriding
(If for some reason you ever didn't want a nonce somewhere, you could still override by passing |
Generally it's a good idea to have defaults that are secure and setting Are you linking to a lot of external JS from a variety of domains? If so a more secure option would be to use Subresource Integrity than blindly adding a nonce value. |
Summary
Add the
nonce: true
option forjavascript_include_tag
helper to support automatic nonce generation for Content Security Policy. Works the same way as previously introducedjavascript_tag nonce: true
does.This way, one does not have to do
..., nonce: content_security_policy_nonce
everywhere in templates to do nonce-based script-src CSP.