Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CSP render js partial and best practice query? #152

Closed
cheeyeo opened this issue Jul 1, 2015 · 6 comments
Closed

CSP render js partial and best practice query? #152

cheeyeo opened this issue Jul 1, 2015 · 6 comments

Comments

@cheeyeo
Copy link

cheeyeo commented Jul 1, 2015

Hi

firstly, thanks for the great gem!

I have a quick query on setting the right CSP config for script_src in a rails application?

I have a remote UJS action which has a corresponding '.js.erb' template which runs some javascript when rendered. However, CSP blocks it from working unless I have 'eval' set inside script_src which is not secure.

Are there any recommendations to resolve this?

thanks
@oreoshake
Copy link
Contributor

I'm assuming you're using something like:

$.ajax({
    url: 'somewhere',
    type: 'POST',
    dataType: 'script' 
});

"script": Evaluates the response as JavaScript and returns it as plain text....

From http://api.jquery.com/jquery.ajax/

I'd suggest not using js.erb. While it's entirely possible to use it safely, it's so easy to get it wrong and the consequences are pretty bad. If you can describe your use case, I can try to help you come up with a way to accomplish the same task without the use of js.erb.

@mpugach
Copy link

mpugach commented Oct 25, 2015

Hello @oreoshake

I'm in same situation, here is my js template and here is the call.

So a person is shown to admin and he can select an academic group to move the person to. When the person group is changed, I want the js.erb to be rendered, so the admin can see new person's group immediately.

What do you suggest me to do?

@oreoshake
Copy link
Contributor

I suggest you make the ajax call return the necessary data (@academic_group.title, the link to that object, @academic_group.id) and move the javascript into the response handler for that ajax request. Separate the code and data.

@mpugach
Copy link

mpugach commented Oct 27, 2015

thank you, than other case I will move into React component (since the lib is already in the project). What do you think?

@oreoshake
Copy link
Contributor

makes sense to me

@Gekk3
Copy link

Gekk3 commented Mar 11, 2016

How can I allow render js partial like in the code below, safely?

test.rb

class TestsController
   def index
       @students = Student.all
       respond_to do |format|
          format.js { render :action=> "list" }
       end
   end
end

list.js.rb

$(".source").html("<%= escape_javascript render @students %>");

Thank you.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@cheeyeo @mpugach @oreoshake @Gekk3