Skip to content

Commit

Permalink
Automatically add a nonce to script tag if a csp-nonce meta tag is av…
Browse files Browse the repository at this point in the history
…ailable to get it from

Resolves brentd#100
  • Loading branch information
TylerRick committed Sep 10, 2019
1 parent 6fb0c9d commit 79dfb3a
Show file tree
Hide file tree
Showing 5 changed files with 26 additions and 1 deletion.
7 changes: 6 additions & 1 deletion lib/xray/middleware.rb
Original file line number Diff line number Diff line change
Expand Up @@ -110,10 +110,15 @@ def script_matcher(script_name)
/x
end

def nonce_from_meta_tag(html)
(match = html.match(/<meta name="csp-nonce" content="([^"]*)"/)) && match[1]
end

# Appends the given `script_name` after the `after_script_name`.
def append_js!(html, after_script_name, script_name)
html.sub!(script_matcher(after_script_name)) do
"#{$~}\n" + helper.javascript_include_tag(script_name)
nonce = nonce_from_meta_tag(html)
"#{$~}\n" + (helper.javascript_include_tag(script_name, nonce: nonce))
end
end

Expand Down
8 changes: 8 additions & 0 deletions spec/dummy/app/controllers/application_controller.rb
Original file line number Diff line number Diff line change
@@ -1,9 +1,17 @@
class ApplicationController < ActionController::Base
protect_from_forgery

content_security_policy only: :strict_csp do |policy|
policy.script_src :self, :strict_dynamic
end

def root
end

def strict_csp
render :root
end

# For the tests
def non_html
render json: {foo: 'bar'}
Expand Down
1 change: 1 addition & 0 deletions spec/dummy/app/views/layouts/application.html.erb
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@
<%= stylesheet_link_tag "application", :media => "all" %>
<%= javascript_include_tag "application" %>
<%= csrf_meta_tags %>
<%= csp_meta_tag %>
</head>
<body>

Expand Down
5 changes: 5 additions & 0 deletions spec/dummy/config/initializers/content_security_policy.rb
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
Rails.application.config.content_security_policy do |policy|
# Empty
end

Rails.application.config.content_security_policy_nonce_generator = -> request { SecureRandom.base64(16) }
6 changes: 6 additions & 0 deletions spec/xray/middleware_spec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -95,6 +95,12 @@ def mock_response(status, content_type, body)
expect(page).to have_selector('script[src^="/assets/xray"]')
end

it "adds nonce to the script tag" do
visit '/'
expect(page).to have_selector('script[src^="/assets/xray"][nonce]')
expect(page.find('script[src^="/assets/xray"]')[:nonce]).to eq page.find('meta[name="csp-nonce"]')[:content]
end

it "injects the xray bar into the response" do
visit '/'
expect(page).to have_selector('#xray-bar')
Expand Down

0 comments on commit 79dfb3a

Please sign in to comment.