Automatically add a nonce to script tag if a csp-nonce meta tag is available to get it from #101
Conversation
|
Thanks for the PR! I left some initial comments. I won't be able to approve or merge this PR until we get Travis CI working. @brentd or @TylerRick do you know why we aren't seeing CI checks on this PR? |
|
I manually restarted the Travis CI build and it seems to be working now 🤔 |
|
@TylerRick This is failing CI because CI is testing against Rails < 6. I think the appropriate next steps are:
Can you help with either or both of those? |
TylerRick
force-pushed
the
add_nonce
branch
4 times, most recently
from
e2df4c9 to
7c6bcf8
Compare
Good catch. I've updated it to only run CSP-related test code for Rails >= 5.2. I also added Rails 6 (and 5.2) to the testing matrix. It's a really trivial change. I don't think we need a separate PR for that unless you're likely to not merge this one right away... Also had to fix another issue related to sprockets 4... Everything is in pretty self-contained commits if we need to cherry pick anything. Now just trying to fix the test failures... hopefully they'll pass this time around 🤞 |
TylerRick
force-pushed
the
add_nonce
branch
2 times, most recently
from
246c711 to
fb29639
Compare
Spread out the Rails versions in travis.yml a bit and test 5.2, not just 5.0
This resolves a bunch of (6) test failures that were failing due to an error page that said: To allow requests to www.example.com, add the following to your environment configuration: config.hosts << "www.example.com" This was added as part of ActionDispatch::HostAuthorization in Rails 6. See: - https://guides.rubyonrails.org/6_0_release_notes.html#action-pack-notable-changes - https://guides.rubyonrails.org/configuring.html#configuring-middleware
…ometimes get added by Sprockets 4 pipelines
…ng Ctrl+Shift+X makes the Xray UI appear This verifies that there are no JavaScript errors that would prevent it from working, even though the xray.js script was injected into the document (as tested by spec/xray/middleware_spec.rb).
…use some optional debugging tools like byebug and pry
(Since Gemfile.lock isn't currently under version control, and probably can't be since RAILS_VERSION
is dynamic.)
Without this, it will install the latest version, 4.0, which uses &. not available in older Rubies, causing errors like this:
ruby/2.1.0/gems/rspec-rails-4.0.0/lib/rspec/rails/example/mailer_example_group.rb:25: syntax error, unexpected '.'
options&.each { |key, value| default_u...
Sprockets::Railtie::ManifestNeededError: Expected to find a manifest file in `app/assets/config/manifest.js` but did not
… puts page.html instead so we can figure out why it failed
... if a csp-nonce meta tag is available to get it from. - Added test that confirms that nonce is added - Added an end-to-end test that uses a strict CSP. Confirmed that this fails without the nonce added to javascript_include_tag calls. - With Sprockets 4, it doesn't add a separate script tag for jquery, so add an explicit javascript_include_tag "jquery" for that case Co-authored-by: Matt Brictson <mattbrictson@users.noreply.github.com>
|
Okay, finally got tests passing. Merge please? Wasted too much time getting it to work with old Rubies/Rails, when I think the correct path should be to just remove support for them going forward (#109)... Also, now that I realize how easy it is to just manually include this in my app: <%= javascript_include_tag 'xray', nonce: true if Rails.env.development? %>I regret even wasting my time getting it to automatically look for and add a nonce to the auto-injected xray.js script. I think we should even consider just removing the auto-injecting feature (#110). But in any case, even if that ends up getting removed in the future, this PR still has some changes that will be valuable going forward, such as updates to support Sprockets 4, and a simple end-to-end test to make sure the JS actually works (and there weren't any run-time JS errors)... |
|
Hi @mattbrictson, I love this gem and wie just upgraded to sprockets 4. #113 Do you plan to continue merging MR and releaseing new versions for this Gem? If I can help in any way please let me know. |
|
Hi @brentd, I just saw that you released a new version for the gem. I would like to contribute to this gem. Currentle I'm working on my own branch which is based on this Pull request. If you merge this in I can add some value:
Hope to help |
|
Hi @rocket-turtle - since I'm rewriting xray, in the meantime I will accept PRs with small non-breaking changes. From what I can tell your changes seem OK; I can probably make an exception for removing Ruby 1.9 support since your change toward Module prepend is good. However, I may end up removing any/ all contributions in the rewrite, so please be aware. Once released I will tag the rewrite version 1.0 and as it will likely not support old versions of Ruby/Rails, pre-1.0 users may still benefit from your changes. |
Resolves #100