Skip to content
This repository has been archived by the owner. It is now read-only.

CSP nonce make reload on every access with data-turbolinks-track #464

Open
willnet opened this issue Apr 6, 2019 · 3 comments
Open

CSP nonce make reload on every access with data-turbolinks-track #464

willnet opened this issue Apr 6, 2019 · 3 comments

Comments

@willnet
Copy link

@willnet willnet commented Apr 6, 2019

<%= javascript_pack_tag 'application', 'data-turbolinks-track': 'reload', nonce: true %>

This javascript_pack_tag make reload on every access because nonce attribute changes on every access.
If remove 'data-turbolinks-track': 'reload', reloading never happen. But re-evaluate application.js on every access because turbolinks thinks of it as a new script. And reloading never happen even when URL of javascript is changed.

Is there any way that turbolinks get along with CSP nonce?

@venables
Copy link

@venables venables commented Oct 10, 2019

@willnet I experienced the same issue -- in the end my solution was to remove the nonce: true tag from my javascript_pack_tag call, and rely on CSPs 'script-src' to handle things.

@mtomov
Copy link

@mtomov mtomov commented Aug 20, 2021

Seems like browsers - both Firefox and Chrome - strip out the nonce from those script tags before rendering the page, which is probably a security feature.

But then the Rails recommendation is to include the csp-nonce as a meta tag, which sort of defeats the purpose of hiding the nonce. But without the meta tag, no ajax requests could work, as there's no way to grab the current nonce from?

image

@willnet
Copy link
Author

@willnet willnet commented Sep 21, 2021

rails/rails#43227 seems to be a solution.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
3 participants