Merge pull request #296 from mikelkew/csp-nonce

Add CSP nonce to injected scripts and styles
rails · Aug 19, 2020 · 28dfbc4 · 28dfbc4
2 parents e1ed9e6 + bc5d230
commit 28dfbc4
Show file tree

Hide file tree

Showing 3 changed files with 7 additions and 1 deletion.
diff --git a/lib/web_console/templates/console.js.erb b/lib/web_console/templates/console.js.erb
@@ -257,6 +257,8 @@ var promptBoxHtml = <%= render_inlined_string '_prompt_box_markup.html' %>;
 var consoleStyleCss = <%= render_inlined_string 'style.css' %>;
 // Insert a style element with the unique ID
 var styleElementId = 'sr02459pvbvrmhco';
+// Nonce to use for CSP
+var styleElementNonce = '<%= @nonce %>';
 
 // REPLConsole Constructor
 function REPLConsole(config) {
@@ -441,6 +443,9 @@ REPLConsole.prototype.insertCss = function() {
   style.type = 'text/css';
   style.innerHTML = consoleStyleCss;
   style.id = styleElementId;
+  if (styleElementNonce.length > 0) {
+    style.nonce = styleElementNonce;
+  }
   document.getElementsByTagName('head')[0].appendChild(style);
 };
 

diff --git a/lib/web_console/templates/layouts/javascript.erb b/lib/web_console/templates/layouts/javascript.erb
@@ -1,4 +1,4 @@
-<script type="text/javascript" data-template="<%= @template %>">
+<script type="text/javascript" data-template="<%= @template %>" nonce="<%= @nonce %>">
 (function() {
   <%= yield %>
 }).call(this);

diff --git a/lib/web_console/view.rb b/lib/web_console/view.rb
@@ -22,6 +22,7 @@ def only_on_regular_page(*args)
     # leaking globals, unless you explicitly want to.
     def render_javascript(template)
       assign(template: template)
+      assign(nonce: @env["action_dispatch.content_security_policy_nonce"])
       render(template: template, layout: "layouts/javascript")
     end