Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add nonce to vite_react_refresh_tag Rails tag helper #249

Closed
renchap opened this issue Sep 5, 2022 · 3 comments
Closed

Add nonce to vite_react_refresh_tag Rails tag helper #249

renchap opened this issue Sep 5, 2022 · 3 comments
Labels
enhancement New feature or request

Comments

@renchap
Copy link

renchap commented Sep 5, 2022

Description 📖

When using a Content Security Policy that does not allow unsafe-inline scripts, vite_react_refresh_tag does not work as inline JS is not allowed. The solution is to enable CSP nonces (Rails has a way to do it), but then the nonce is not added to the generated <script> tag and the tag is ignored.

Note that this is quite common policy using nonces or script hashes, needed for the legacy plugin for example

Solution 💡

I see 2 solutions here, and I can try a PR to implement the one you prefer:

  • Probably best solution: update react_refresh_preamble to only return the JS content, and wrap it into the framework specific tag for each framework, allowing to pass framework options as needed (for example vite_react_refresh_tag(nonce: true))
  • update vite_react_refresh_tag and react_refresh_preamble to accept a nonce argument, and add it to the generated HTML

What do you think?
@renchap renchap added the bug: pending triage Something doesn't seem to be working, but hasn't been verified label Sep 5, 2022
@ElMassimo ElMassimo added bug Something isn't working and removed bug: pending triage Something doesn't seem to be working, but hasn't been verified labels Sep 5, 2022
@ElMassimo
Copy link
Owner

Hi Renaud, thanks for reporting.

Ideally, we add a new react_preamble_code method in ViteRuby::Manifest to preserve backwards compatibility, keeping react_refresh_preamble, and then extend vite_rails to use javascript_tag with nonce: true, type: :module.

PRs are welcome!

@ElMassimo ElMassimo added enhancement New feature or request and removed bug Something isn't working labels Sep 9, 2022
@ElMassimo ElMassimo changed the title vite_react_refresh_tag does not support CSP nonces Add nonce to vite_react_refresh_tag Rails tag helper Sep 9, 2022
@mikecx
Copy link

mikecx commented Mar 31, 2023

Hey, just wondering if there's been any progress on this. We're looking to get CSP enabled and this is obviously blocking the more advanced CSP cases.

@ElMassimo
Copy link
Owner

This only affects development, where you can make an exception if needed.

PRs are welcome!

This was referenced Jun 13, 2023
Merged
Merged
ElMassimo added a commit that referenced this issue Jun 19, 2023
@ElMassimo
feat: add nonce by default to react refresh tag (close #249)
a31f0a9
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@renchap @mikecx @ElMassimo