-
Notifications
You must be signed in to change notification settings - Fork 79
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow it to work with strict Content Security Policy; add nonce to javascript_include_tag #100
Comments
Well, adding
because it tries to delegate to
|
TylerRick
added a commit
to TylerRick/xray-rails
that referenced
this issue
Sep 10, 2019
…ailable to get it from Resolves brentd#100
TylerRick
added a commit
to TylerRick/xray-rails
that referenced
this issue
Sep 10, 2019
... if a csp-nonce meta tag is available to get it from.
TylerRick
added a commit
to TylerRick/xray-rails
that referenced
this issue
Feb 24, 2021
... if a csp-nonce meta tag is available to get it from. - Added test that confirms that nonce is added - Added an end-to-end test that uses a strict CSP. Confirmed that this fails without the nonce added to javascript_include_tag calls. Co-authored-by: Matt Brictson <mattbrictson@users.noreply.github.com>
TylerRick
added a commit
to TylerRick/xray-rails
that referenced
this issue
Feb 24, 2021
... if a csp-nonce meta tag is available to get it from. - Added test that confirms that nonce is added - Added an end-to-end test that uses a strict CSP. Confirmed that this fails without the nonce added to javascript_include_tag calls. Co-authored-by: Matt Brictson <mattbrictson@users.noreply.github.com>
TylerRick
added a commit
to TylerRick/xray-rails
that referenced
this issue
Feb 24, 2021
... if a csp-nonce meta tag is available to get it from. - Added test that confirms that nonce is added - Added an end-to-end test that uses a strict CSP. Confirmed that this fails without the nonce added to javascript_include_tag calls. Co-authored-by: Matt Brictson <mattbrictson@users.noreply.github.com>
TylerRick
added a commit
to TylerRick/xray-rails
that referenced
this issue
Feb 24, 2021
... if a csp-nonce meta tag is available to get it from. - Added test that confirms that nonce is added - Added an end-to-end test that uses a strict CSP. Confirmed that this fails without the nonce added to javascript_include_tag calls. Co-authored-by: Matt Brictson <mattbrictson@users.noreply.github.com>
TylerRick
added a commit
to TylerRick/xray-rails
that referenced
this issue
Feb 24, 2021
... if a csp-nonce meta tag is available to get it from. - Added test that confirms that nonce is added - Added an end-to-end test that uses a strict CSP. Confirmed that this fails without the nonce added to javascript_include_tag calls. - With Sprockets 4, it doesn't add a separate script tag for jquery, so add an explicit javascript_include_tag "jquery" for that case Co-authored-by: Matt Brictson <mattbrictson@users.noreply.github.com>
TylerRick
added a commit
to TylerRick/xray-rails
that referenced
this issue
Feb 24, 2021
... if a csp-nonce meta tag is available to get it from. - Added test that confirms that nonce is added - Added an end-to-end test that uses a strict CSP. Confirmed that this fails without the nonce added to javascript_include_tag calls. - With Sprockets 4, it doesn't add a separate script tag for jquery, so add an explicit javascript_include_tag "jquery" for that case Co-authored-by: Matt Brictson <mattbrictson@users.noreply.github.com>
TylerRick
added a commit
to TylerRick/xray-rails
that referenced
this issue
Feb 24, 2021
... if a csp-nonce meta tag is available to get it from. - Added test that confirms that nonce is added - Added an end-to-end test that uses a strict CSP. Confirmed that this fails without the nonce added to javascript_include_tag calls. - With Sprockets 4, it doesn't add a separate script tag for jquery, so add an explicit javascript_include_tag "jquery" for that case Co-authored-by: Matt Brictson <mattbrictson@users.noreply.github.com>
This was referenced Feb 24, 2021
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I've used this gem before with success, but I just tried adding it to an app that happens to have a strict CSP and am running into this error:
I wonder if there would be an easy fix to make it work out of the box with strict CSP. Could it be as simple as changing:
lib/xray/middleware.rb:116
:?
I don't know if that helper can access the request's nonce from within a middleware but maybe...
(Otherwise, it could always use a regex to extract the nonce from the
<meta name="csp-nonce"
tag.)As a workaround, I guess I'll have to disable my strict CSP in development, but I'd prefer to keep it strict in development as well so that I ran into any CSP issues sooner...
Reference:
nonce: true
option forjavascript_include_tag
helper. rails/rails#32607The text was updated successfully, but these errors were encountered: