Skip to content

Commit

Permalink
Add nonce to script-src content security policy and to the mathjax co…
Browse files Browse the repository at this point in the history
…nfiguration script tag
  • Loading branch information
sneakers-the-rat committed Dec 1, 2023
1 parent 9eacb5c commit b1f2c39
Show file tree
Hide file tree
Showing 3 changed files with 13 additions and 11 deletions.
20 changes: 11 additions & 9 deletions app/views/layouts/application.html.haml
Original file line number Diff line number Diff line change
Expand Up @@ -35,17 +35,19 @@
= csrf_meta_tags unless skip_csrf_meta_tags?
%meta{ name: 'style-nonce', content: request.content_security_policy_nonce }

:javascript
var nonce = document.querySelector('meta[name="style-nonce"]').getAttribute('content');
window.MathJax = {
chtml: {nonce: nonce},
tex: {
processEnvironments: false,
processRefs: false,
inlineMath: [['\\(', '\\)']],
displayMath: [['\\[', '\\]']]
%script{ nonce: request.content_security_policy_nonce }
:plain
var nonce = document.querySelector('meta[name="style-nonce"]').getAttribute('content');
window.MathJax = {
chtml: {nonce: nonce},
tex: {
processEnvironments: false,
processRefs: false,
inlineMath: [['\\(', '\\)']],
displayMath: [['\\[', '\\]']]
}
};

%script{ src: '/MathJax/es5/tex-chtml.js' }

= stylesheet_link_tag '/inert.css', skip_pipeline: true, media: 'all', id: 'inert-style'
Expand Down
2 changes: 1 addition & 1 deletion config/initializers/content_security_policy.rb
Original file line number Diff line number Diff line change
Expand Up @@ -86,7 +86,7 @@ def sso_host

Rails.application.config.content_security_policy_nonce_generator = ->request { SecureRandom.base64(16) }

Rails.application.config.content_security_policy_nonce_directives = %w(style-src)
Rails.application.config.content_security_policy_nonce_directives = %w(style-src script-src)

Rails.application.reloader.to_prepare do
PgHero::HomeController.content_security_policy do |p|
Expand Down
2 changes: 1 addition & 1 deletion spec/requests/content_security_policy_spec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@
"child-src 'self' blob: https://cb6e6126.ngrok.io",
"worker-src 'self' blob: https://cb6e6126.ngrok.io",
"connect-src 'self' blob: data: ws://localhost:4000 https://cb6e6126.ngrok.io",
"script-src 'self' https://cb6e6126.ngrok.io 'wasm-unsafe-eval'"
"script-src 'self' https://cb6e6126.ngrok.io 'wasm-unsafe-eval' 'nonce-ZbA+JmE7+bK8F5qvADZHuQ=='"
)
end
end

0 comments on commit b1f2c39

Please sign in to comment.