Add nonced versions of Rails link/include tags #372
Conversation
Adds support for nonced versions of Rails' CSS, JavaScript and Webpacker link/include tags. * nonced_stylesheet_link_tag * nonced_javascript_include_tag * nonced_javascript_pack_tag
| # Public: create a script tag using the content security policy nonce. | ||
| # Instructs secure_headers to append a nonce to style/script-src directives. | ||
| # Instructs secure_headers to append a nonce to script-src directive. | ||
| # | ||
| # Returns an html-safe script tag with the nonce attribute. | ||
| def nonced_javascript_tag(content_or_options = {}, &block) | ||
| nonced_tag(:script, content_or_options, block) |
There was a problem hiding this comment.
Should just be a passthrough call to nonced_javascript_include_tag?
There was a problem hiding this comment.
The Rails API is a little different:
javascript_tag(content_or_options_with_block = nil, html_options = {}, &block)
javascript_include_tag(*sources)
It might work as a passthrough though, if that's preferred?
| @@ -7,21 +7,45 @@ module ViewHelpers | |||
| class UnexpectedHashedScriptException < StandardError; end | |||
|
|
|||
| # Public: create a style tag using the content security policy nonce. | |||
| # Instructs secure_headers to append a nonce to style/script-src directives. | |||
| # Instructs secure_headers to append a nonce to style-src directive. | |||
| # | |||
| # Returns an html-safe style tag with the nonce attribute. | |||
| def nonced_style_tag(content_or_options = {}, &block) | |||
| nonced_tag(:style, content_or_options, block) | |||
There was a problem hiding this comment.
Should this be a passthrough to nonced_stylesheet_link_tag instead?
There was a problem hiding this comment.
No, nonced_style_tag generates <style> whereas nonced_stylesheet_link_tag generates a <link />
| content_tag(:script, nil, options.merge(src: source)) | ||
| end | ||
|
|
||
| alias_method :javascript_pack_tag, :javascript_include_tag |
There was a problem hiding this comment.
What is the reason for the alias? Can we accomplish the same thing without the metaprogramming?
There was a problem hiding this comment.
We could, but for the purpose of this test the method is identical. Would you prefer that?
|
Released in 5.0.3 Sorry for the confusion, I was completely misreading things 😄 |
Adds support for nonced versions of Rails' CSS, JavaScript and Webpacker link/include tags.
All PRs: