diff --git a/README.md b/README.md index f7c1024..05807ec 100644 --- a/README.md +++ b/README.md @@ -10,8 +10,8 @@ To use phraseapp-in-context-editor-ruby with your application you have to: -* Sign up for a Phrase account: [https://app.phrase.com/signup](https://app.phrase.com/signup) -* Use the excellent [i18n](https://github.com/ruby-i18n/i18n) gem also used by [Rails](https://guides.rubyonrails.org/i18n.html) +- Sign up for a Phrase account: [https://app.phrase.com/signup](https://app.phrase.com/signup) +- Use the excellent [i18n](https://github.com/ruby-i18n/i18n) gem also used by [Rails](https://guides.rubyonrails.org/i18n.html) ### Demo @@ -21,11 +21,13 @@ Login via the demo credentials `demo@phrase.com` / `phrase` ### Installation #### NOTE: You can not use the old version of the ICE with integration versions of >2.0.0, you have to instead use 1.x.x versions as before + #### via Gem ```bash gem install phraseapp-in-context-editor-ruby ``` + #### via Bundler Add it to your `Gemfile` @@ -84,6 +86,7 @@ Old version of the ICE is not available since version 2.0.0. If you still would #### Using the US Datacenter with ICE In addition to the settings in your `config/initializers/phraseapp_in_context_editor.rb`, set the US datacenter to enable the ICE to work with the US endpoints. + ```ruby config.enabled = true config.project_id = "YOUR_PROJECT_ID" @@ -91,6 +94,18 @@ In addition to the settings in your `config/initializers/phraseapp_in_context_ed config.datacenter = "us" ``` +#### Using with CSP + +The script will automatically get the nonce from `content_security_policy_nonce` +The content_security_policy.rb has to have `:strict_dynamic` for `policy.script_src` since we are loading more scripts dynamically because of our way of deploying + +```ruby + policy.script_src :self, :https, :strict_dynamic + policy.style_src :self, :https +``` + +The `config.content_security_policy_nonce_directives = %w[script-src style-src]` can include `style-src` but this _might_ break some styling in some cases + ### Browser support This library might not work out of the box for some older browser or IE11. We recommend to add [Babel](https://github.com/babel/babel) to the build pipeline if those browser need to be supported. diff --git a/examples/demo/app/views/layouts/application.html.erb b/examples/demo/app/views/layouts/application.html.erb index 0681b3c..789180f 100644 --- a/examples/demo/app/views/layouts/application.html.erb +++ b/examples/demo/app/views/layouts/application.html.erb @@ -6,7 +6,7 @@ <%= csrf_meta_tags %> <%= csp_meta_tag %> - <%= stylesheet_link_tag "application", "data-turbo-track": "reload" %> + <%= stylesheet_link_tag "application", "data-turbo-track": "reload", nonce: true %> <%= javascript_importmap_tags %> <%= load_in_context_editor %> diff --git a/examples/demo/config/initializers/content_security_policy.rb b/examples/demo/config/initializers/content_security_policy.rb index 54f47cf..5898383 100644 --- a/examples/demo/config/initializers/content_security_policy.rb +++ b/examples/demo/config/initializers/content_security_policy.rb @@ -4,22 +4,22 @@ # See the Securing Rails Applications Guide for more information: # https://guides.rubyonrails.org/security.html#content-security-policy-header -# Rails.application.configure do -# config.content_security_policy do |policy| -# policy.default_src :self, :https -# policy.font_src :self, :https, :data -# policy.img_src :self, :https, :data -# policy.object_src :none -# policy.script_src :self, :https -# policy.style_src :self, :https -# # Specify URI for violation reports -# # policy.report_uri "/csp-violation-report-endpoint" -# end -# -# # Generate session nonces for permitted importmap and inline scripts -# config.content_security_policy_nonce_generator = ->(request) { request.session.id.to_s } -# config.content_security_policy_nonce_directives = %w(script-src) -# -# # Report violations without enforcing the policy. -# # config.content_security_policy_report_only = true -# end +Rails.application.configure do + config.content_security_policy do |policy| + policy.default_src :self, :https + policy.font_src :self, :https, :data + policy.img_src :self, :https, :data + policy.object_src :none + policy.script_src :self, :https, :strict_dynamic + policy.style_src :self, :https + # Specify URI for violation reports + # policy.report_uri "/csp-violation-report-endpoint" + end + + # Generate session nonces for permitted importmap and inline scripts + config.content_security_policy_nonce_generator = ->(request) { request.session.id.to_s } + config.content_security_policy_nonce_directives = %w[script-src style-src] + + # Report violations without enforcing the policy. + # config.content_security_policy_report_only = true +end diff --git a/lib/phraseapp-in-context-editor-ruby/view_helpers.rb b/lib/phraseapp-in-context-editor-ruby/view_helpers.rb index df4f2ec..2ee70d9 100644 --- a/lib/phraseapp-in-context-editor-ruby/view_helpers.rb +++ b/lib/phraseapp-in-context-editor-ruby/view_helpers.rb @@ -22,7 +22,7 @@ def load_in_context_editor(opts = {}) }.merge(opts) snippet = <<-EOS - ") } end