Force session to exist so nonce exists

rubygems · Jan 31, 2024 · c1ec80a · c1ec80a
1 parent fe4cec9
commit c1ec80a
Showing 1 changed file with 6 additions and 2 deletions.
diff --git a/config/initializers/content_security_policy.rb b/config/initializers/content_security_policy.rb
@@ -11,7 +11,6 @@
     "https://*.fastly-insights.com", "https://avatars.githubusercontent.com"
   policy.object_src  :none
   policy.script_src :self,
-                    :unsafe_inline,
                     "https://secure.gaug.es",
                     "https://www.fastly-insights.com",
                     "https://unpkg.com/@hotwired/stimulus/dist/stimulus.umd.js",
@@ -50,7 +49,12 @@
 end
 
 # Generate session nonces for permitted importmap, inline scripts, and inline styles.
-Rails.application.config.content_security_policy_nonce_generator = ->(request) { request.session.id.to_s }
+Rails.application.config.content_security_policy_nonce_generator = lambda { |request|
+  # Suggested nonce generator doesn't work on first page load https://github.com/rails/rails/issues/48463
+  # Related PR attempting to fix: https://github.com/rails/rails/pull/48510
+  request.session.update({}) # force session to exist
+  request.session.id.to_s.presence || raise("No session ID available in #{request.inspect}")
+}
 Rails.application.config.content_security_policy_nonce_directives = %w[script-src style-src]
 
 # Report CSP violations to a specified URI. See: