Skip to content

Commit

Permalink
Ensure Dashboard inline javascript has CSP nonce for strict Content-S…
Browse files Browse the repository at this point in the history 
…ecurity Policy (#309)
  • Loading branch information
@bensheldon
bensheldon authored Jul 26, 2021
1 parent c2e8c91 commit a870c99
Show file tree
Hide file tree
Showing 2 changed files with 17 additions and 2 deletions.
4 changes: 2 additions & 2 deletions engine/app/views/shared/_chart.erb
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
<div id="chart"></div>

<script>
<%= javascript_tag nonce: true do %>
new Chartist.Line('#chart', <%== chart_data.to_json %>, {
height: '300px',
fullWidth: true,
Expand Down Expand Up @@ -49,4 +49,4 @@
tooltipEl.style.left = (event.offsetX || event.originalEvent.layerX) + tooltipEl.offsetWidth + 10 + 'px';
tooltipEl.style.top = (event.offsetY || event.originalEvent.layerY) + tooltipEl.offsetHeight - 20 + 'px';
}, true);
</script>
<% end %>
15 changes: 15 additions & 0 deletions spec/test_app/config/initializers/content_security_policy.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,3 +26,18 @@
# For further information see the following documentation:
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only
# Rails.application.config.content_security_policy_report_only = true

Rails.application.config.content_security_policy do |policy|
policy.default_src :none
policy.connect_src :self
policy.base_uri :none
policy.font_src :self, :https, :data
policy.img_src :self, :https, :data
policy.object_src :none
policy.script_src :self
policy.style_src :self
policy.form_action :self
policy.frame_ancestors :self
end

Rails.application.config.content_security_policy_nonce_generator = ->(_request) { SecureRandom.base64(16) }

0 comments on commit a870c99

Please sign in to comment.